There is a very detailed day one book Securing the Routing Engine on M, MX, and T Series
http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ Nitzan On Tue, Jan 14, 2014 at 8:07 PM, joel jaeggli <joe...@bogus.com> wrote: > On 1/13/14, 8:10 PM, Mark Tees wrote: > > Thanks Ben I will review those links. > > > > I have the MX book and have read a decent portion of it. Thats what I was > > referring to. A quick glance shows some similar examples as to what was > in > > the MX book. Same author so it makes sense. > > RFC 6192 > > http://tools.ietf.org/search/rfc6192 > > Has good examples of juniper and cisco control-plane acls for ipv4 and > ipv6. > > Doug's book is as you noted also rather good. > > IMHO this is basic belt and suspenders for router deployment and > everyone should do this. > > > > > On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bd...@comlinx.com.au> wrote: > > > >> > >> On 14 Jan 2014, at 12:31 pm, Mark Tees <markt...@gmail.com> wrote: > >> > >>> What I was referring to was a detailed ACL/Filter for lo0 that only > >> allows > >>> traffic for enabled services on the routing engine. > >>> > >>> For example if Juniper posted a firewall filter template with all the > >>> possible services customers could then activate/deactivate what they > need > >>> from the policy and log fails before discarding etc. > >> > >> What you think you're after is "show system connections" which is more > or > >> less "netstat -an" and shows all ports that are listening on your RE - > you > >> can now filter at will. > >> > >> Providing a list of every service for people to modify is not going to > >> solve these problems - "Oh hey, I'm using NTP, I'd better enable all > those > >> rules".. > >> > >> What you actually want is an ACL with ONLY the services you've actually > >> configured and understand from the source/destinations you're using them > >> from and deny all else - then you *mostly* don't need to worry about > this > >> sort of thing. > >> > >> If your employer is too tight to spring for the MX book (worth every > cent > >> and then some), the following free Day One books will provide everything > >> you're after (sign up for a J-Net login if you don't already have one): > >> > >> > >> > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ > >> > >> > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/ > >> > >> > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/ > >> > >> Ben > > > > > > > > > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp