Re: [j-nsp] Securing management access to Juniper gear
On Fri, Sep 02, 2011 at 02:37:11PM -0400, Mark Kamichoff wrote: I'm not an EX guru, but I believe the same concepts can be applied. With the caveats that: 1) lo0 filters *WILL* (quite incorrectly) match data plane exception packets that get punted to the RE for further processing as well, such as TTL expiring traceroute packets routing THROUGH the box. Mostly this issue applies to EX, which seems to punt a whole bunch of everything to the RE rather than deal with it on the FPC CPU like traditional Juniper hardware, but the same thing actually still happens with TTL expiring packets being popped out of an LSP on MX Trio hardware too. You need to make exceptions for this in your lo0 filter, or else you'll find your control plane filters matching more than just control plane packets, breaking traceroute/etc, and generally pissing everyone off. I believe there was also a related ongoing issue on EX where an lo0 filter with an explicit deny of all traffic at the end would actually match ARP traffic too, so you should probably be careful with those as well. :) 2) EX lo0 filters don't actually work correctly for DoS prevention, they get applied *AFTER* the packets have already destroyed the RE, and thus are completely ineffective at defending the boxes from attack. The only way to correctly block control plane traffic on EX is with ingress filters on real intefaces (or RVIs). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
On Saturday, September 03, 2011 09:18:51 PM Richard A Steenbergen wrote: 2) EX lo0 filters don't actually work correctly for DoS prevention, they get applied *AFTER* the packets have already destroyed the RE, and thus are completely ineffective at defending the boxes from attack. The only way to correctly block control plane traffic on EX is with ingress filters on real intefaces (or RVIs). Just to add, in case you're planning to perform any egress filtering on an RVI for IPv6, it won't work if one of your match conditions is a destination address: [edit interfaces vlan unit 998 family inet6] 'filter' Referenced filter 'filter-outgoing6' can not be used as destination-address not supported on egress IRB error: configuration check-out failed This is Junos 10.4R4.5. Don't know if anything later fixes this. Ingress filtering with that match condition is fine, however. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
You can use a firewall filter to avoid or to permit the correct ip address to your gear. There is a good document at Juniper web site explaining how you can do that (best practices) ... beside others: http://www.cymru.com/gillsr/documents/junos-template.pdf http://www.juniper.net/us/en/community/junos/training-certification/day-one/ http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ What is the recommend/preferred way to secure the SSH Web access to a piece of JunOS gear? I have a couple routers (MX80) and switches (EX4200) that are remote. Can I attach packet filters to the system services (HTTP,SSH)? Do I attach the packet filter to the lo0 interface? Thanks -Matt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Securing management access to Juniper gear
Hi Matthew - On Fri, Sep 02, 2011 at 02:28:03PM -0400, Matthew S. Crocker wrote: What is the recommend/preferred way to secure the SSH Web access to a piece of JunOS gear? I have a couple routers (MX80) and switches (EX4200) that are remote. Can I attach packet filters to the system services (HTTP,SSH)? Do I attach the packet filter to the lo0 interface? You typically attach a firewall filter to the lo0 interface to secure the routing engine. For more information I highly recommend the following day one book, which goes over this in detail: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ I'm not an EX guru, but I believe the same concepts can be applied. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/ signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp