I have not.

But to answer your question broadly

a) allow in very specific terms what you want to accept
   - always match on source IP (except UDP traceroute and ICMP, which
you'll need to accept from world)
   - always match on destination IP, if you run any L3 MSPL VPN
   - always match on destination port, either service port, BGP, SSH
etc  or JunOS ephemeral (49160-65535)        (TCP requires 2 terns,
one per direction)
   - always match on TTL/hop-count 255 when permitted (VRRP, ND)
   - decide your policy on IP options, and ensure lo0 implements that
(transit IP-options are today subject to lo0. they were not in earlier
JunOS, not even on Trio)
   - be sure that source IPs you allow, cannot be spooffed. If I want
to DDoS your network, first source address spoofs I'll try are
ftp.juniper.net, ftp.cisco.com etc. Ensure you don't admit anything
like that to control-plane
 b) discard rest
 c) implement ddos-protection
    - configure _every_ protocol, set 10-100pps aggregate for
protocols you don't know you need
    - disable sub detection, enable ifl detection
    - set ifl limit to 10th or 5th of aggregate at most (so you need
>5 or >10 violating ifl to congest aggregate)
    - have three categories 'dont care', 'care, but not customer
impacting', 'customer impacting'. I'd recommend no more than 100pps,
4000pps and 8000pps aggregates per category. There is built-in magic
policer from NPU=>LC_CPU, you can't review its drops nor can you
reconfigure it, but you MUST NOT congest it, as it will drop packets
blindly contract-unaware.



On Wed, 11 Jul 2018 at 22:09, Drew Weaver <drew.wea...@thenap.com> wrote:
>
> Have you tried submitting your recommendations to the authors?
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
> Saku Ytti
> Sent: Wednesday, July 11, 2018 3:07 PM
> To: cb...@gizmopartners.com
> Cc: Juniper List <juniper-nsp@puck.nether.net>
> Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 
> 'things to think about'?
>
> I'd say the filters are all kind of broken.
>
> Just few issues
>
> a) You can't just limit UDP to 2Mbps on every edge port
> b) LO filter matches on 'port'
> c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
> d) hardcore doesnt permit traceroute
>
> Just very short review, to me just these errors are monumental 
> misunderstanding of security and goals of filters. To me starting from 
> nothing is superior than starting from those.
>
> On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cb...@gizmopartners.com> wrote:
> >
> >
> >
> > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.wea...@thenap.com> wrote:
> > >
> > > Is there a list of best practices or 'things to think about' when 
> > > constructing a firewall filter for a loopback on an MX series router 
> > > running version 15 of Junos?
> > >
> > > I'm slowly piecing it together by just 'seeing what is broken next' and I 
> > > have found some issue specific examples on Juniper.net thus far that tend 
> > > to help with some of the issues but if anyone has ever seen a decent 
> > > comprehensive guide that would be tremendously useful.
> > >
> > > If anyone has seen anything like this let me know, if not no worries
> > > will just keep fixing the things one by one =)
> >
> > Team Cymru has a “JunOS Secure Template” that I found a good place to 
> > start. It quotes version 4 though.  I think that means it’s well tested?
> >
> > http://www.cymru.com/gillsr/documents/junos-template.pdf
> >
> > —Chris
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to