I would not use the Cymru as an example. Few points on the 'router-protect-hardcore'
1) it does not enforce destination address - this allows FW filter bypass in typical L3 MPLS VPN scenario 2) it uses 'from port X' - this allows bgp speakers to connect to any port on your router 3) it does not use DDoS protection - this allows trivial way to congest the control-plane 4) it polices ssh to 1Mbps, hardly useful for scp/sftp I didn't review other parts of the suggestion On 27 November 2014 at 08:42, <[email protected]> wrote: >> http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/ > > Also worth looking at: http://www.team-cymru.org/ReadingRoom/Templates/ > > Steinar Haug, Nethelp consulting, [email protected] > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
