Le 29/03/2016 15:46, Saku Ytti a écrit :
That is just 10min look. It's very complicated approach yet not particularly secure one. But at least it's less broken than Cymru secure template. Few basic principles a) never use 'port', all bidir TCP needs 'active' and 'passive' rule separately b) never use prefix-list, always directional source/desination c) if you run l3 mpls vpn, always verify 'destination-address' d) have long list of permit/allow, then single discard at the end e) if standard makes statement about TTL/hop-limit, use it, it's super critical for ICMPv6 ND particularly f) only use 'tcp-established' to make rule more strict, not to have some handy catch-all return traffic permitter g) avoid high level of abstraction, people will need to be able to review it, preferably fast, bitrot is serious problem
I have always found RE protection filter over-complicated and error prone. I stand with my very simple filter (8 terms) which are far for perfect (and it break one of your rule), but at least it was understable and work in my environnement.
The easy part is to protect from the external, you can even use private IP on your core, or better dedicate a public subnet not announced in the DMZ.
The difficult part is to protect your core from your customer. And then filter bgp, vrrp, etc...
I think a collaborative repo on github from different source should be helpfull for all of us (I've grab many of the filter over the years, and can publish it if someone are interrested).
-- Raphael Mazelier _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
