cool hit counter Cyber Attacks Rage, Bring a Security Cover to Network Devices_Intefrankly

Cyber Attacks Rage, Bring a Security Cover to Network Devices


Information security public awareness and information security knowledge enlightenment.

For a list of tutorials, see the menu at the bottom of the WeChat public website

Cyber attacks are everywhere.

In January 2018, everyone was still as busy as ever, the rumbling fans of equipment in the IT equipment room were noisy and loud, everything seemed so normal.

However, if you look at the digital world inside the device from a different perspective, the landscape is completely different. The packets are dark and scrambling to reach the end of the world.

As the saying goes, where there's a man, there's a jungle. And the manipulated world of the internet is inevitably murderous.

Take a look at the picture above, it's not my personal photoshopped up fireworks photo. It is literally a world-class graph of cyber attack traffic. Attack traffic of all kinds crosses borders and affects every Internet device.

With personal computers struggling to escape the clutches of cyber attacks, how can network devices be left alone?

Not at all, network devices are also one of the targets for attackers, and an important one at that, unless you unplug the power cord.

It's like hitting a snake in the head; if an attacker wants to create a widespread Internet outage, it's much more cost-effective to take down the network devices than to try to take down the individual endpoint targets.

A bulletproof vest for your network equipment

How do you avoid being compromised by attackers and do security hardening! If we can, let's put a golden bell and iron cloth shirts on it, and the swords and spears will be invincible.

How do you harden network equipment security?

Common practices.

I'm sure the first thing that comes to mind for many of you is to use something like ACL access control lists to allow only trusted administrators to access the management device, restrict specific protocols, etc.

1. the router or switch interface is configured with ACLs to allow specific traffic.

2. Restrict the use of SSH, HTTPS, and other access devices for specific network segments.

Is that enough?

How can I limit the in-band and out-of-band security of network devices?

How do I allow only specific source addresses to connect to device protocols, such as BGP, etc.?

Are unnecessary network services turned off?

Is device logging properly configured to record device login records and other network management traces?

Is the configuration saved regularly so that unexpected failures do not occur?

I'm dirt poor and get a third party security company to do a security scan.

perhaps-er, If you're a landlord, You can get a security scan done directly by a third party security company, and rectification based on assessment reports。 But it will cost a small fortune。

I'm a do-it-yourselfer, do-it-yourself, one pike!

In fact, in addition to spending money, we can choose to solve the problem ourselves, saving the company costs on the one hand and honing our personal skills on the other. What's not to like about something so good?

therefore, To satisfy the needs of some of the Grangers' landed gentry, Seriously following through with do-it-yourself, The spirit of bountiful food and clothing。 This article is dedicated to conclude A way of thinking about security hardening of network devices, For your information。

Throwing light on network device security hardening

Since we are discussing network equipment hardening, we need to use a specific product as the object of demonstration, because I have long used Juniper equipment, I will use its products as an example to tell you.

Also, it should be noted that the following is not limited to Juniper devices, but it is most important that you understand this set of thinking and apply it to the corresponding vendor devices around you, in addition to understanding Juniper's hardening approach.

Basics: Software is bug-free and upgraded to the latest version

Real-time attention to system bugs

This step is especially important, yet extremely easy to overlook.

Flies don't bite, and neither do cyber attacks. If an attacker just focuses on the network security that everyone will go for, such as trying their luck telnetting into a device, etc. Then the level of this attacker is questionable.

So the real attacker is attacking those system bugs vulnerabilities that he knows about and you don't. Obviously, it's very necessary to keep track of system bug vulnerabilities in real time, take myself for example. I have to go in every little while to see if the current Juniper device running the JUNOS software is bursting with major bugs, and then suggest fixes. (The leader will think you're far-sighted and get a pay rise! )

How to view JUNOS vulnerabilities :.

Method I: look overJuniper websitesbug warehouse: https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

Method 2: Check the Juniper website for the Problem Search software bug library: https://prsearch.juniper.net

By regularly reviewing the bug information of the JUNOS system you are using and taking relevant measures according to Juniper recommendations, you can greatly avoid the problem of system bugs that bring down the network.

Install the manufacturer's recommended OS operating system

This step is very well understood, and generally the network equipment manufacturer will recommend that you use a certain version of the OS system. It is based on vendor statistics as well as customer feedback aggregated from vendors who believe this version of the system is relatively more stable and has relatively few bugs.

Juniper vendor recommended OS system summary.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

What's the point of talking about the soul when you can't even keep your physical body: the physical security of the device

What is physical plant security? Physical plant security includes, but is not limited to, the following.

1、 Physical environment security of equipment。

2. The actual ports and interfaces of the device are secure.

3、 Equipment Display Safety。

Physical environment security of equipment

Network equipment is typically installed in specific racks in the server room. However, if the security environment in the server room is poor, someone can enter the room at any time and move network equipment that is already on the network, or perform operations such as disconnecting power and plugging cables. Then all other security issues are a moot point.

As girls in love always say to boys, "If you can't even give me basic security, what's the point of talking about love! "

So, engineers, buy your network equipment a better "house" and give them a sense of security. For example, as mentioned in my previous OOB article, "Building an Out-of-Band OOB Network", a rack door lock + sensor is used to secure the device.

Device Port Security

Console Interface Security

The Console interface serves as the management interface for the device. In terms of importance, no other in-band and out-band management style can match it.

In daily operation and maintenance, it is always necessary to go to the field to debug the device via console. After the engineer logs into the device with console, he often forgets to log out of the system. Instead, just unplug the console cable. The danger is that other people can then plug into the device through the console without any authentication and directly use the previous user's privileges to perform various operations on the network device through the console.

In other words, if the previous engineer logged in with a root account, the subsequent attacker is also in root mode and can perform major operations on the device such as going offline, rebooting, and shutting down at any time.

Recommendations for security settings

1.Enable the logout-on-disconnect function to log out the current user directly after disconnecting the console cable.

[edit system ports]

GingerBeer@Juniper# set console log-out-on-disconnect

2.Disable login with the root account on the console interface.

[edit system ports]

GingerBeer@Juniper# set console insecure

3.Make a mean move: close the console interface. In some specific cases, such as when the physical environment of the device cannot be secured, the console interface can be shut down directly to avoid someone using the console maliciously to guess passwords or perform other tasks.

[edit system ports]

GingerBeer@Juniper# set console disable

Auxiliary interface and device board diagnostic interface security

Auxiliary Port Auxiliary Interface

Auxiliary interface, not many people use it in general. It has two main functions. The first is that an external modem can be connected, and the remote premises can be connected after dialing through the modem, and the remote end can manage the device through this modem. The auxiliary interface can sometimes be used as a second console.

Since people don't usually use it, it's best to turn it off. Junos, for example, has the Auxiliary interface turned off by default, although it's not visible inside the configuration. However, from a security perspective, the Auxiliary auxiliary interface can be explicitly configured to be turned off.

Explicitly disable the auxiliary interface

[edit system ports]

GingerBeer@Juniper# set auxiliary disable

Board Diagnostic Interface

For a high-end router or switch, there are typically two Routing Engine routing engine cards, two switching matrix boards, and multiple service boards.

And right on the switch matrix board, there will exist something like a console interface for the routing engine. This means that if there are faults that need to be diagnosed at the board level, the information can be collected by connecting to the diagnostic port of the switch board.

From a security perspective, diagnostic interfaces generally do not have passwords. Yes you read that right, there is no - secret - code.

In the case of Juniper, this diagnostic interface will exist for certain SCB, SSB, SFM, and FEB cards. From a security perspective, we should set up password verification for him.

Diagnostic interface to set password authentication

Set up as follows.

[edit system]

GingerBeer@Juniper# set diag-port-authentication plain-text-password

New password:

Retype new password:

[edit system]

perhaps

GingerBeer@Juniper# set pic-console-authentication plain-text-password

New password:

Retype new password:

[edit system]

GingerBeer@Juniper#

USB Interface Security

USB provides convenient file transfer and storage expansion, and based on your security needs, you may consider turning it off.

[edit chassis]

GingerBeer@Juniper# show

usb {

storage {

disable;

}

}

[edit chassis]

GingerBeer@Juniper#

Equipment Display Safety

This is interesting in that on some switches there will be a small LCD monochrome screen, usually with a couple of tiny buttons next to it. Don't underestimate this LCD display. This screen allows you to perform some basic system maintenance and control functions, such as taking boards offline, resetting system configuration, etc. So if we don't use its function often, we can choose to turn off the operation function of LCD screen.

Lock out the LCD screen operation function. Eyes only, no touching!

[edit]

GingerBeer@Juniper# set chassis craft-lockout

Make the system simple and turn off unnecessary services

In a nutshell, similar to devices such as routers, switches and even firewalls. The reason it is more secure than a server is that network devices generally have far fewer services turned on by default than servers.

Since doing security hardening requires a spirit of picking the bones inside the eggs, let's see what other unnecessary services can be turned off on the network device.

Turn off automatic installation and configuration services

Many Juniper devices initial environment to cater to automation needs, such as high-volume configuration of devices. The automatic installation configuration is turned on by default. From a security point of view, if you don't need this feature, you can choose to turn it off.

Turn off automatic installation

[edit]

GingerBeer@Juniper# delete system autoinstallation

Juniper SRX only, turn off automatic installation from USB

[edit]

GingerBeer@Juniper# set system autoinstallation usb disable

Turn off ICMP redirection

ICMP A redirect is a router's request toIP Notification sent by the sender of the packet, to notify them of the arrival of a specific target host perhaps A better way to network。 After receiving the redirect, The way in which the source device should modify its routing, Then send subsequent packets through the next hop suggested by the router。

An attacker can exploit the ICMP redirection feature to send a large number of non-optimally routed packets to the router, prompting the router to return thousands of ICMP redirects, thus enabling a DOS attack.

However, in a well-designed network environment, the ICMP redirect message is not needed and should not appear, so we can turn it off for this reason.

Similar to other vendors, Juniper's Junos has ICMP redirection turned on by default.

Turn off ICMP redirection

[edit]

GingerBeer@Juniper# set system no-redirects

prohibit TCP malicious flags andTCP detect

TCP malicious flags

Let's start with TCP malicious flags, We all know that normalTCP The consultation process will useSYN perhapsFIN flag markers,SYN use inTCP establish, but (not)FIN use inTCP Session dismantling。

But no normal packet will put both SYN and FIN inside the marker flag, because the logic is contradictory and conflicting.

However, someone will intentionally create this packet artificially and create a DOS attack by sending a large number of invalid packets and learn the OS information of the target device, etc.

We can configure JUNOS to discard invalid data containing both SYN and FIN fields without responding.

The configuration is as follows.

[edit]

GingerBeer@Juniper# set system internet-options tcp-drop-synfin-set

TCP probe

In order to detect the port opening range and status of the target network device, the attacker can send a large number of TCP-SYN connection requests and know the port opening status by viewing the reply information of the network device.

In the case of high intensity scanning, the load on network devices increases and causes DOS attacks.

** Configure JUNOS not to reply to TCP-RST for ports that are not open, thus making it impossible for an attacker to know whether this port is open or not.

[edit]

GingerBeer@Juniper# set system internet-options tcp-drop-synfin-set

Appropriate use of LLDP neighbor discovery

LLDP, similar to Cisco's CDP. It's just a neighbor discovery protocol that has been standardized by the IEEE. Since it is a neighbor discovery, it naturally exposes the details of the network device itself completely. So enabling LLDP only on the ports that need it is a preference for network security.

The cases are as follows.

The following case, Default is off on all interfacesLLDP, In addition to the requiredge-0/0/0 & ge-0/0/3 interface。

[edit]

GingerBeer@Juniper# edit protocols lldp

[edit protocols lldp]

GingerBeer@Juniper# set interface all disable

[edit protocols lldp]

GingerBeer@Juniper# set interface ge-0/0/0.0

[edit protocols lldp]

GingerBeer@Juniper# set interface ge-0/0/3.0

Snowstorming? No way - monitor user activity logs

For Ops, we want to be able to see what a user does after logging into a network device, such as which account is logged in and what commands he executes after logging in.

With such a feature, it is like installing an invisible camera on the network device, monitoring every move of the logged-in user. It also acts as a deterrent.

Juniper ofJunos Very good job on the logbook aspect, It can be customized to the user's needs, Pick out the information you need from all the log records, and saved to a specific file perhaps-ersyslog On the server。

The configuration is as follows.

set system syslog file interactive-commands interactive-commands any

set system syslog file authorization authorization info

View user login history:

show log authorization

The effect is as follows.

Jan 20 01:17:08 GingerBeer-RTR01 sshd[11590]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: ro

Jan 20 01:17:08 GingerBeer-RTR01 sshd[11590]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: Gingerbeer

Jan 20 01:17:08 GingerBeer-RTR01 sshd[11590]: Accepted password for Gingerbeer from 1.2.3.4 port 12345 ssh2

Jan 20 01:21:10 GingerBeer-RTR01 sshd[11777]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: ro

Jan 20 01:21:10 GingerBeer-RTR01 sshd[11777]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: Gingerbeer

Jan 20 01:21:10 GingerBeer-RTR01 sshd[11775]: Accepted keyboard-interactive/pam for Gingerbeer from 12345 port 12345 ssh2

Jan 20 01:21:10 GingerBeer-RTR01 sshd[11775]: Received disconnect from 1.2.3.4: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2)

Jan 20 01:21:10 GingerBeer-RTR01 sshd[11775]: Disconnected from 1.2.3.4

To view the user execution command log.

show log interactive-commands | last

The effect is as follows.

Jan 20 07:52:30 GingerBeer-RTR01 mgd[30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command 'show interfaces terse '

Jan 20 07:53:03 GingerBeer-RTR01 mgd[30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command 'show route '

Jan 20 07:53:37 GingerBeer-RTR01 mgd[30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command 'show configuration | display set | no-more '

Jan 20 07:53:56 GingerBeer-RTR01 mgd[30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command 'show log interactive-commands | last

Automatic backup device configuration

There is, without a doubt, no more valuable information on network device configuration than it is. I've seen many of my engineer friends get anxious and fired up after a network device goes down just because they didn't back up their configuration regularly. There's no way to find equipment to top it off if you want to.

And in Juniper's Junos, automatic backup configuration is a very simple matter.

The settings are as follows.

[edit system archival configuration]

GingerBeer@Juniper# show

transfer-interval 1440;

archive-sites {

"scp://Gingerbeer@1.2.3.4:/Configs" password "$9$EGCyMCVb1JGnev2aajPf359AO1"; ## SECRET-DATA

}

Simply interpreting the above settings, every 24 hours this router will then send the current configuration to the 1.2.3.4 server via SCP.

Shutting down insecure system services

So-called insecure system services are those that are transmitted in clear text during transmission. Therefore, it is extremely easy to be intercepted by a man-in-the-middle to obtain system login privileges, etc.

Examples of services are as follows.

1.Close Berkeley "r"

[edit system services]

GingerBeer@Juniper# delete rsh

[edit system services]

GingerBeer@Juniper# delete rlogin

2.Close FTP.

[edit system services]

GingerBeer@Juniper# delete ftp

3.Close Finger.

[edit system services]

GingerBeer@Juniper# delete finger

4.Close Telnet.

[edit system services]

GingerBeer@Juniper# delete telnet

5.Close J-web via HTTP login.

[edit system services]

GingerBeer@Juniper# delete web-management http

6.To turn off Reverse Telnet.

[edit system services]

GingerBeer@Juniper# delete reverse telnet

7.Turn off clear-text Junoscript access.

[edit system services]

GingerBeer@Juniper# delete xnm-clear-text

8.To shut down the TFTP server.

[edit system services]

GingerBeer@Juniper# delete tftp-server

Setting user login parameters

This step is kind of a plus, and the system usually has a default value. And everyone can modify it to specific values according to the needs of their network.

Example of user login parameter setting.

[edit system login retry-options]

GingerBeer@Juniper# show

tries-before-disconnect 3; ## up to 3 attempts before disconnecting

backoff-threshold 1; # If a user fails to log in once because of a password, it starts a user login wait time.

backoff-factor 6; # Here defines the user login wait time.

Minimum-time 30; # Wait 30 seconds for the user to type in the password

maximum-time 60; #When a user ssh or otherwise logs into the device, wait 60 seconds before the user types a username and password. The tcp connection is terminated after the timeout.

lockout-period 10; # When a user fails to log in more than the limit above, the user name is locked out for 10 minutes.

The grand finale, the routing engine protection design logic

Each of the above settings only serves to protect some of the functions, but to protect the entire router in its entirety. It still has to rely on a complex and comprehensive routing engine protection mechanism.

Don't engage in some nomenclature to fool people, but also the grand finale, to put it bluntly is not a set of ACL access list to restrict access to the routing engine traffic it.

Don't worry, ACL also has its own advanced set, otherwise how can we call it "design".

Analysis of design ideas

First, we need to divide the traffic arriving at the router into two main categories.

1.Managed traffic

2.Protocol traffic

Next, all protocols for each of the above two types of traffic are listed separately.

Examples.

Management traffic, typically SSH, SNMP, NTP, Radius, ICMP, and traceroute.

Since ACLs are non-stateful. In other words, for traffic sent from the router to the outside world, an entry is also needed to allow it to return traffic. For example, Radius requests a reply. (very important)

Protocol class traffic, typically OSPF, RIP, BGP. Or MPLS-like LDP, RSVP, etc.

Write the open source and destination ports in the entry based on the protocol port characteristics.

Once the analysis is done, let's look at a case study of authoring, which is most tangible to look at.

Juniper Firewall Policy Writing Examples and Explanations

Notes on entries: Article I is designed to preventTCP SYN flood attack, First match allBGP neighborhood address, and the administrative address。 Then match.TCP The fields areSYN perhaps-erFin perhaps-erRST, But it doesn't includeSYN ACK ofTCP packet, end up withQOS ofPolicer Restrictions on bursts most100k。

set firewall family inet filter protect-re term synflood-protect from source-prefix-list bgp-neighbors

set firewall family inet filter protect-re term synflood-protect from source-prefix-list mgmt-nets

set firewall family inet filter protect-re term synflood-protect from protocol tcp

set firewall family inet filter protect-re term synflood-protect from tcp-flags "(syn & !ack) | fin| rst"

set firewall family inet filter protect-re term synflood-protect then policer limit-100k

set firewall family inet filter protect-re term synflood-protect then accept

Additional configuration.

set policy-options prefix-list bgp-neighbors apply-path "protocols bgp group neighbor "

This command is used to automatically match the IP addresses of all global BGP neighbors, so mom doesn't have to worry about me having to match addresses one by one anymore!

set policy-options prefix-list ipv4-interfaces apply-path "interfaces unit family inet address "

This command is used to automatically match all IPv4 addresses configured on the router device.

PS, some of you may not quite understand these fun and efficient features of Junos, so please move on to another Juniper JUNOS technical article I wrote earlier:Carriage return phobia? 13 JUNOS Tips to Help You Configure Your Network Easily and Hassle-Free

Entry Note: The second entry is to allow the next door neighbor, Lao Wang, to initiate BGP to this router, with the destination address range being the IP addresses of all local routers. Note that one of the entries is "destination-port", destination port 179. Because this Firewall Policy is ultimately applied to the inbound direction of the routing engine, the destination port 179 is towards the router itself.

set firewall family inet filter protect-re term allow-bgp from source-prefix-list bgp-neighbors

set firewall family inet filter protect-re term allow-bgp from destination-prefix-list ipv4-interfaces

set firewall family inet filter protect-re term allow-bgp from protocol tcp

set firewall family inet filter protect-re term allow-bgp from destination-port bgp

set firewall family inet filter protect-re term allow-bgp then accept

Entry Note: The third entry is to allow the OSPF protocol

set firewall family inet filter protect-re term allow-ospf from source-prefix-list ipv4-interfaces

set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ospf-allrouters

set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ipv4-interfaces

set firewall family inet filter protect-re term allow-ospf from protocol ospf

set firewall family inet filter protect-re term allow-ospf then accept

Entry Note: The fourth entry allows the SSH protocol and limits SSH traffic to a maximum of 10Mbps via Policer, normal ssh management traffic generally does not exceed this value

set firewall family inet filter protect-re term allow-ssh from source-prefix-list mgmt-nets

set firewall family inet filter protect-re term allow-ssh from protocol tcp

set firewall family inet filter protect-re term allow-ssh from destination-port ssh

set firewall family inet filter protect-re term allow-ssh then policer limit-10m

set firewall family inet filter protect-re term allow-ssh then accept

Entry Note: The fifth entry is to allow SNMP protocols with a 1 Mbps speed limit

set firewall family inet filter protect-re term allow-snmp from source-prefix-list snmp-servers

set firewall family inet filter protect-re term allow-snmp from protocol udp

set firewall family inet filter protect-re term allow-snmp from destination-port snmp

set firewall family inet filter protect-re term allow-snmp then policer limit-1m

set firewall family inet filter protect-re term allow-snmp then accept

Entry Note: The sixth entry allows the NTP protocol with a 32kbps speed limit

set firewall family inet filter protect-re term allow-ntp from source-prefix-list ntp-servers

set firewall family inet filter protect-re term allow-ntp from source-prefix-list localhost

set firewall family inet filter protect-re term allow-ntp from protocol udp

set firewall family inet filter protect-re term allow-ntp from destination-port ntp

set firewall family inet filter protect-re term allow-ntp then policer limit-32k

set firewall family inet filter protect-re term allow-ntp then accept

Entry Note: Entry 7 is allowed for Radius protocol with a 32kbps speed limit

set firewall family inet filter protect-re term allow-radius from source-prefix-list radiusservers

set firewall family inet filter protect-re term allow-radius from protocol udp

set firewall family inet filter protect-re term allow-radius from source-port radius

set firewall family inet filter protect-re term allow-radius then policer limit-32k

set firewall family inet filter protect-re term allow-radius then accept

Entry Note: Article 8 is a restriction on ICMP slice packets

set firewall family inet filter protect-re term icmp-frags from is-fragment

set firewall family inet filter protect-re term icmp-frags from protocol icmp

set firewall family inet filter protect-re term icmp-frags then syslog

set firewall family inet filter protect-re term icmp-frags then discard

Entry Note: The ninth entry is to allow common ICMP messages with a 1 Mbps speed limit

set firewall family inet filter protect-re term allow-icmp from protocol icmp

set firewall family inet filter protect-re term allow-icmp from icmp-type echo-request

set firewall family inet filter protect-re term allow-icmp from icmp-type echo-reply

set firewall family inet filter protect-re term allow-icmp from icmp-type unreachable

set firewall family inet filter protect-re term allow-icmp from icmp-type time-exceeded

set firewall family inet filter protect-re term allow-icmp then policer limit-1m

set firewall family inet filter protect-re term allow-icmp then accept

Entry Note: The tenth entry is to allow common Traceroute messages with a 1Mbps speed limit

set firewall family inet filter protect-re term allow-traceroute from protocol udp

set firewall family inet filter protect-re term allow-traceroute from destination-port 33434-33523

set firewall family inet filter protect-re term allow-traceroute then policer limit-1m

set firewall family inet filter protect-re term allow-traceroute then accept

Entry Note: The eleventh entry is to allow router-initiated SSH, BGP can be allowed to return to the router, as previously stated, Juniper's Firewall policy is Cisco's ACL, which is not session stateful, so the traffic returned to the router also needs to be explicitly specified. and a speed limit of 10Mbps

set firewall family inet filter protect-re term tcp-established from protocol tcp

set firewall family inet filter protect-re term tcp-established from source-port ssh

set firewall family inet filter protect-re term tcp-established from source-port bgp

set firewall family inet filter protect-re term tcp-established from tcp-established

set firewall family inet filter protect-re term tcp-established then policer limit-10m

set firewall family inet filter protect-re term tcp-established then accept

Entry Note: Entry 12 is easy to understand, discard all traffic except for all the above specified traffic. Does not respond to ICMP unreachable messages.

set firewall family inet filter protect-re term default-deny then log

set firewall family inet filter protect-re term default-deny then syslog

set firewall family inet filter protect-re term default-deny then discard

Application strategy

On Juniper devices, the lo0 interface is more cleverly designed. he is in addition to the usual features that everyone knows about such as router-id, or the never-down interface. More importantly, it is a special gateway to the routing engine. If you want to restrict the traffic that reaches the routing engine, you only need to bind a Firewall policy on the Juniper's lo0 as opposed to Cisco using a control-plane policy.

After completing the configuration of the firewall policy, let's apply the policy to the return to lo0 interface, thus limiting the traffic reaching the routing engine.

set interfaces lo0 unit 0 family inet filter input protect-re

Other reinforcement elements

In addition to the security hardening described above, you should work on a daily basis to harden the Layer 2 redundant gateway protocols, Layer 3 routing protocols, and other protocols on your router with passwords such as md5.

1.Set the VRRP authentication password.

2.Set the OSPF, RIP, and BGP authentication passwords.

3.Set the MPLS protocol authentication password for ldp, rsvp, etc.

conclude

In this article, we discuss together the sharing of experiences and case studies on how to harden security against network devices in today's increasingly rampant cyber attacks.

Of course, each equipment manufacturer has relevant security hardening methods for their own equipment, and Juniper's hardening methods are not entirely applicable to Cisco and Huawei.

However, what is important for us as web workers is the word thinking. The configurations are different, but the ideas are all connected.


Recommended>>
1、Global Blockchain Spring Summit 2018
2、Google releases AIbased content safety API to filter more child abuse images
3、Ditch the fluffy concepts to show you what a real blockchain is
4、Nearly Dh4 billion lost in cybercrime in UAE cybersecurity report 2017
5、Protection of Seedlings Internet Safety Lesson No 2 Stay away from undesirable information

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送

    已发送

    朋友将在看一看看到

    确定
    分享你的想法...
    取消

    分享想法到看一看

    确定
    最多200字,当前共

    发送中

    网络异常,请稍后重试

    微信扫一扫
    关注该公众号