Protecting the Local Routing Engine
Problem
You want to protect the Routing Engine by ensuring that it accepts traffic only from trusted network systems.
Solution
Protecting the Routing Engine involves filtering incoming routing protocol traffic on the router's lo0 interface. The first step is to create the filter:
[edit firewall] aviva@RouterF# edit filter protect-RE
This filter contains terms for the different protocols running on the router. The first terms allow the router to accept routing-protocol traffic from BGP peers and OSPF neighbors:
[edit firewall filter protect-RE] aviva@RouterF# edit term bgp-peers [edit firewall filter protect-RE term bgp-peers] aviva@RouterF# set from source-address 10.0.8.0/24 aviva@RouterF# set from source-address 10.0.13.0/24 aviva@RouterF# set from destination-port bgp aviva@RouterF# set then accept aviva@RouterF# up [edit firewall filter protect-RE] aviva@RouterF# edit term ospf-neighbors [edit firewall filter protect-RE term ospf-neighbors] aviva@RouterF# set from source-address 10.0.8.0/24 aviva@RouterF# set from source-address 10.0.13.0/24 aviva@RouterF# set from protocol ospf aviva@RouterF# set then accept
The next term allows TCP traffic:
[edit firewall filter protect-RE ] aviva@RouterF# edit term tcp-traffic [edit firewall filter protect-RE term tcp-traffic ] aviva@RouterF# set from source-address 10.0.0.0/8 aviva@RouterF# set from protocol tcp aviva@RouterF# set then accept
The following term allows DNS traffic:
[edit firewall filter protect-RE ] aviva@RouterF# edit term dns-servers [edit firewall filter protect-RE term dns-servers ] aviva@RouterF# set from source-address 10.0.0.0/8 aviva@RouterF# set from protocol udp aviva@RouterF# set from port domain aviva@RouterF# set then accept
The next two terms allow RADIUS, SSH, and Telnet connections to the router:
[edit firewall filter protect-RE] aviva@RouterF# edit term radius [edit firewall filter protect-RE term radius ] aviva@RouterF# set from source-address 10.1.0.1/32 aviva@RouterF# set from source-address 10.3.0.1/32 aviva@RouterF# set from source-port radius aviva@RouterF# set then accept [edit firewall filter protect-RE term radius ] aviva@RouterF# up [edit firewall filter protect-RE ] aviva@RouterF# edit term ssh-telnet [edit firewall filter protect-RE term ssh-telnet ] aviva@RouterF# set from source-address 10.0.8.0/24 aviva@RouterF# set from source-address 10.0.13.0/24 aviva@routerF# set from destination-port [ ssh telnet ] aviva@RouterF# set then accept
Two terms accept traffic from SNMP NMS systems:
[edit firewall filter protect-RE ] aviva@RouterF# edit term xnm-from-nms [edit firewall filter protect-RE term xnm-from-nms ] aviva@RouterF# set from source-address 10.0.0.1/32 aviva@RouterF# set from source-address 10.0.5.1/32 aviva@RouterF# set from protocol tcp aviva@RouterF# set then accept aviva@RouterF# up [edit firewall filter protect-RE ] aviva@RouterF# edit term allow-snmp-from-nms [edit firewall filter protect-RE term allow-snmp-from-nms ] aviva@RouterF# set from source-address 10.0.0.1/32 aviva@RouterF# set from source-address 10.0.5.1/32 aviva@RouterF# set from protocol udp aviva@RouterF# set from destination-port snmp aviva@RouterF# set then accept
Two terms accept traffic from the network's NTP servers and from ICMP:
[edit firewall filter protect-RE ] aviva@RouterF# edit term allow-ntp [edit firewall filter protect-RE term allow-ntp ] aviva@RouterF# set from source-address 10.10.0.1/32 aviva@RouterF# set from source-address 10.10.5.1/32 aviva@RouterF# set from port ntp aviva@RouterF# set then accept aviva@RouterF# up [edit firewall filter protect-RE ] aviva@RouterF# edit term allow-icmp [edit firewall filter protect-RE term allow-icmp ] aviva@RouterF# set from protocol icmp aviva@RouterF# set from icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ] aviva@RouterF# set then accept
The last term explicitly rejects all other traffic:
[edit firewall filter protect-RE ] aviva@RouterF# edit term allow-nothing-else [edit firewall filter protect-RE term allow-nothing-else ] aviva@RouterF# set then count reject-counter aviva@RouterF# set then log aviva@RouterF# set then syslog aviva@RouterF# set then reject
Create a system logfile for the messages that will be generated by the set then syslog command:
[edit system syslog] aviva@RouterF# set file messages firewall any
Finally, apply the filter to the router's loopback interface:
[edit interfaces lo0] aviva@RouterF# set unit 0 family inet filter input protect-RE
Discussion
This recipe illustrates the second broad firewall filter design philosophy mentioned in Recipe 9.11that of creating a filter that allows only the desired traffic and blocks everything else. This design requires more planning than the reverse strategy of blocking traffic that the router should not receive first and then allowing everything else, but it ensures maximum security. You need to spend time up front looking at your network and router configurations and analyzing the flow of traffic through your network to determine the types of traffic the router should expect to receive and the addresses and ports from which it should receive the traffic. Another factor working in favor of improving the security of this design is that, by default, if a packet does not match any term in a firewall filter, it is discarded.
This "allow known, block everything else" design is good practice for protecting the router's Routing Engine. Because the JUNOS routing-protocol software runs on the Routing Engine, you want to make sure that all the traffic it receives is from known and trusted sources.
This recipe is for a router running the routing protocols BGP and OSPF. The router can be accessed by SSH and Telnet, and by DNS, RADIUS, and NMS servers. The firewall filter has a term that handles each type of protocol traffic. A design decision you have to make is the order of the terms in the filter. As with routing policy, the terms in the firewall filter are evaluated in the order in which they appear in the configuration, so the placement affects the efficiency of the filter. You need to decide which packet-filtering operations need to be performed quickly and which are not so time-critical. Generally, protocol packets and possibly address resolution should be handled quickly so that the actual process of routing traffic occurs efficiently. The terms for other less important or background tasks, such as user connections to the router and SNMP polling, are placed towards the end of the filter.
The first terms in this firewall filter accept BGP and OSPF protocol traffic. The AS has two subnetworks, 10.0.8.0/24 and 10.0.13.0/24, so the filter allows protocol traffic only from these specific addresses. For OSPF, we can match on the protocol, but there is no BGP protocol option, so you need to match packets destined for a BGP port. The third term accepts TCP traffic. Because BGP runs over TCP, this term ensures that TCP connections can be set up.
The term dns-servers filters DNS traffic for resolving hostnames and addresses. DNS runs over UDP and uses the domain source port, and the filter uses this information to identify DNS traffic. DNS traffic can come from any server on the 10.0.0.0/8 subnetwork. The terms radius and ssh-telnet accept traffic from the network's RADIUS servers and from SSH and Telnet connections. Both these filters identify packets by looking at their destination port. The RADIUS servers are on two subnet-works, 10.1.0.1/32 and 10.3.0.1/32, and SSH and Telnet sessions are allowed on the 10.0.8.0/24 and 10.0.13.0/24 subnetworks.
The terms xnm-from-nms and allow-snmp-from-nms allow the network's two management systems, 10.0.0.1/32 and 10.0.5.1/32, to access the router. These two servers are both running JUNOScript software, which establishes TCP-based SSL connections to the router, and SNMP. The xnm-from-nms term accepts SSL connections from the JUNOScript software, and the second term accepts SNMP queries.
The final term in the filter, allow-nothing-else, drops all other packets. In this case, we want to know how many packets are dropped, so nonmatching packets are counted in the counter named reject-counter. The set then log command logs these packets to the firewall counter, and the set then syslog command logs them to a system logfile. The recipe configures the system logfile messages to contain the system log messages, using the firewall facility to capture firewall-related messages.
Use the show firewall log command to see how many packets are being rejected or look in the logfile with the show low messages command. You can also look in the file /var/etc/filters/dfwc.out to see the actions taken by the different terms in the filter. The following is some of the output for the protect-RE filter:
aviva@RouterF> file show /var/etc/filters/dfwc.out ************************************************************** * filter "protect-RE" protocol ip: 8 rules, 24 matches * Stage: after match reduction and useless match elimination * Optimizations: max-reduction,skip,flatness,level-compress, * max-level-compress,branch,action-elimination ************************************************************** rule "ospf-neighbors" matches 3 match protocol unreferenced type range ranges 1 89 match source-address unreferenced type addrmask number of address-masks: 2 10.0.8/24 10.0.13/24 match action unreferenced type action accept rule "dns-servers" matches 4 match protocol unreferenced type range ranges 1 17 match port unreferenced type range ranges 1 53 match source-address unreferenced type addrmask number of address-masks: 1 10/8 match action unreferenced type action accept
The header shows the name of the filter and the number of rules (terms) it has, along with the number of packets that have matched:
* filter "protect-RE" protocol ip: 8 rules, 24 matches
Again, because the firewall filter is fairly complicated, here is the complete configuration so you can see the structure:
[edit firewall]
aviva@RouterF# show
filter protect-RE {
term bgp-peers {
from {
source-address {
10.0.8.0/24;
10.0.13.0/24;
}
destination-port bgp;
}
then accept;
}
term ospf-neighbors {
from {
source-address {
10.0.8.0/24;
10.0.13.0/24;
}
protocol ospf;
}
then accept;
}
term tcp-traffic {
from {
source-address 10.0.0.0/8;
protocol tcp;
}
then accept:
}
term dns-servers {
from {
source-address {
10.0.0.0/8;
}
protocol udp;
port domain;
}
then accept;
}
term radius {
from {
source-address {
10.1.0.1/32;
10.3.0.1/32;
}
destination-port radius;
}
then accept;
}
term ssh-telnet {
from {
source-address {
10.0.8.0/24;
10.0.13.0/24;
}
destination-port [ ssh telnet ];
}
then accept;
}
term xnm-from-nms {
from {
source-address {
10.0.0.1/32;
10.0.5.1/32;
}
protocol tcp;
}
then accept;
}
term allow-ntp {
from {
source-address {
10.10.0.1/32;
10.10.5.1/32;
}
port ntp;
}
then accept;
}
term allow-icmp {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source
quench ];
}
then accept;
}
term allow-snmp-from-nms {
from {
source-address {
10.0.0.1/32;
10.0.5.1/32;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term allow-nothing-else {
then {
count reject-counter;
log;
syslog;
reject;
}
}
}
[edit interfaces]
lo0 {
unit 0 {
family inet {
filter input protect-RE;
address 192.168.16.1
}
}
}
Router Configuration and File Management
- Introduction
- Configuring the Router for the First Time
- Configuring the Router from the CLI
- Getting Exclusive Access to Configure the Router
- Displaying the Commands to Recreate a Configuration
- Including Comments in the Configuration
- Checking the Syntax of the Configuration
- Activating the Router Configuration
- Debugging a Failed Commit
- Exiting Configuration Mode
- Keeping a Record of Configuration Changes
- Determining What Changes You Have Made to the Configuration
- Configuring the Router by Copying a File from a Server
- Configuring the Router by Copying Text from a Terminal Window
- Backing Up the Routers Configuration
- Scheduling the Activation of a Configuration
- Provisionally Activating a Configuration
- Loading a Previous Router Configuration
- Creating an Emergency Rescue Configuration
- Backing Up Filesystems on M-Series and T-Series Routers
- Backing Up Filesystems on J-Series Routers
- Restoring a Backed-Up Filesystem
- Installing a Different Software Release on M-Series and T-Series Routers
- Installing a Different Software Release on J-Series Routers
- Creating an Emergency Boot Disk
- Gathering Software Version Information
- Gathering Hardware Inventory Information
- Finding Out How Long the Router Has Been Up
- Gathering Information Before Contacting Support
- Managing Routers with Similar Configurations
- Managing Redundant Routing Engines
- Using the Second Routing Engine to Upgrade to a New Software Version
Basic Router Security and Access Control
- Basic Router Security and Access Control
- Introduction
- Allowing Access to the Router
- Controlling Root Authentication
- Logging In to the Routers Console
- Setting the Login Authentication Methods
- Setting Up Login Accounts on the Router
- Changing the Format of Plain-Text Passwords
- Changing the Plain-Text Password Encryption Method
- Creating a Login Account for Remote Authentication
- Creating a Group Login Account
- Customizing Account Privileges
- Creating a Privilege Class that Hides Encrypted Passwords
- Setting Up RADIUS User Authentication
- Setting Up TACACS+ User Authentication
- Restricting Inbound SSH and Telnet Access
- Setting the Source Address for Telnet Connections
- Creating a Login Banner
- Finding Out Who Is Logged In to the Router
- Logging Out of the Router
- Forcibly Logging a User Out
IPSec
- IPSec
- Introduction
- Configuring IPSec
- Configuring IPSec Dynamic SAs
- Creating IPSec Dynamic SAs on J-Series Routers or Routers with AS PICs
- Using Digital Certificates to Create Dynamic IPSec SAs
SNMP
- SNMP
- Introduction
- Configuring SNMP
- Setting Router Information for the MIB-II System Group
- Setting Up SNMP Traps
- Controlling SNMP Access to the Router
- Using a Firewall Filter to Protect SNMP Access
- Controlling Access to Router MIBs
- Extracting Software Inventory Information with SNMP
- Extracting Hardware Inventory Information with SNMP
- Collecting Router Operational Information with SNMP
- Logging SNMP Access to the Router
- Logging Enterprise-Specific Traps
- Using RMON Traps to Monitor the Routers Temperature
- Configuring SNMPv3
- Tracking Router Configuration Changes
- Setting Up SNMPv3 Traps
Logging
- Logging
- Introduction
- Turning On Logging
- Limiting the Messages Collected
- Including the Facility and Severity in Messages
- Changing the Size of a Logging File
- Clearing the Routers Logfiles
- Sending Log Messages to Your Screen
- Sending Logging Messages to a Log Server
- Saving Logging Messages to the Other Routing Engine
- Turning Off Logging
- Turning On Basic Tracing
- Monitoring Interface Traffic
NTP
- NTP
- Introduction
- Setting the Date and Time on the Router Manually
- Setting the Time Zone
- Synchronizing Time When the Router Boots
- Synchronizing Time Periodically
- Authenticating NTP
- Checking NTP Status
Router Interfaces
- Router Interfaces
- Introduction
- Viewing Interface Status
- Viewing Traffic Statistics on an Interface
- Setting an IP Address for the Router
- Setting the Routers Source Address
- Configuring an IPv4 Address on an Interface
- Configuring an IPv6 Address on an Interface
- Configuring an ISO Address on an Interface
- Creating an MPLS Protocol Family on a Logical Interface
- Configuring an Interface Description
- Choosing Primary and Preferred Interface Addresses
- Using the Management Interface
- Finding Out What IP Addresses Are Used on the Router
- Configuring Ethernet Interfaces
- Using VRRP on Ethernet Interfaces
- Connecting to an Ethernet Switch
- Configuring T1 Interfaces
- Performing a Loopback Test on a T1 Interface
- Setting Up a BERT Test on a T1 Interface
- Configuring Frame Relay on a T1 Interface
- Configuring a SONET Interface
- Using APS to Protect Against SONET Circuit Failures
- Configuring an ATM Interface
- Dealing with Nonconfigurable Interfaces
- Configuring Interfaces Before the PICs Are Installed
IP Routing
- IP Routing
- Introduction
- Viewing the Routes in the Routing Table
- Viewing Routes to a Particular Prefix
- Viewing Routes Learned from a Specific Protocol
- Displaying the Routes in the Forwarding Table
- Creating Static Routes
- Blackholing Routes
- Filtering Traffic Using Unicast Reverse-Path Forwarding
- Aggregating Routes
- Load-Balancing Traffic Flows
- Adding Martian Addresses
- Changing Route Preferences to Migrate to Another IGP
- Configuring Routing Protocols to Restart Without Losing Adjacencies
Routing Policy and Firewall Filters
- Routing Policy and Firewall Filters
- Introduction
- Creating a Simple Routing Policy
- Changing a Routes Routing Information
- Filtering Routes by IP Address
- Filtering Long Prefixes
- Filtering Unallocated Prefix Blocks
- Creating a Chain of Routing Policies
- Making Sure a Routing Policy Is Functioning Properly
- Creating a Simple Firewall Filter that Matches Packet Contents
- Creating a Firewall Filter that Negates a Match
- Reordering Firewall Terms
- Filtering Traffic Transiting the Router
- Using a Firewall Filter to Count Traffic on an Interface
- Logging the Traffic on an Interface
- Limiting Traffic on an Interface
- Protecting the Local Routing Engine
- Rate-Limiting Traffic Flow to the Routing Engine
- Using Counters to Determine Whether a Router Is Under Attack
RIP
- RIP
- Introduction
- Configuring RIP
- Having RIP Advertise Its Routes
- Configuring RIP for IPv6
- Enabling RIP Authentication
- Routing RIP Traffic over Faster Interfaces
- Sending Version 1 Update Messages
- Tracing RIP Protocol Traffic
IS-IS
- IS-IS
- Introduction
- Configuring IS-IS
- Viewing the IS-IS Link-State Database
- Viewing Routes Learned by IS-IS
- Configuring IS-IS for IPv6
- Configuring a Level 1Only Router
- Controlling DIS Election
- Enabling IS-IS Authentication
- Redistributing Static Routes into IS-IS
- Leaking IS-IS Level 2 Routes into Level 1
- Adjusting IS-IS Link Costs
- Improving IS-IS Convergence Times
- Moving IS-IS Traffic off a Router
- Disabling IS-IS on an Interface
- Tracing IS-IS Protocol Traffic
OSPF
- Introduction
- Configuring OSPF
- Viewing Routes Learned by OSPF
- Viewing the OSPF Link-State Database
- Configuring OSPF for IPv6
- Configuring a Multiarea OSPF Network
- Setting Up Stub Areas
- Creating a Not-So-Stubby Area
- Summarizing Routes in OSPF
- Enabling OSPF Authentication
- Redistributing Static Routes into OSPF
- Adjusting OSPF Link Costs
- Improving OSPF Convergence Times
- Moving OSPF Traffic off a Router
- Disabling OSPF on an Interface
- Tracing OSPF Protocol Traffic
BGP
- Introduction
- Configuring a BGP Session Between Routers in Two ASs
- Configuring BGP on Routers Within an AS
- Diagnosing TCP Session Problems
- Adjusting the Next-Hop Attribute
- Adjusting Local Preference Values
- Removing Private AS Numbers from the AS Path
- Prepending AS Numbers to the AS Path
- Filtering BGP Routes Based on AS Paths
- Restricting the Number of Routes Advertised to a BGP Peer
- Authenticating BGP Peers
- Setting Up Route Reflectors
- Mitigating Route Instabilities with Route Flap Damping
- Adding a BGP Community to Routes
- Load-Balancing BGP Traffic
- Tracing BGP Protocol Traffic
MPLS
- Introduction
- Configuring LSPs Using LDP as the Signaling Protocol
- Viewing Information and LDP-Signaled LSPs in the Routing Tables
- Verifying that an LDP-Signaled LSP Is Carrying Traffic
- Enabling LDP Authentication
- Tracing LDP Operations
- Setting Up RSVP-Signaled LSPs
- Viewing Information About RSVP-Signaled LSPs in the Routing Tables
- Verifying Packet Labels
- Verifying that the RSVP-Signaled LSP Is Carrying Traffic
- Configuring RSVP Authentication
- Protecting an LSPs Path
- Using Fast Reroute to Reduce Packet Loss Following a Link Failure
- Automatically Allocating Bandwidth
- Prioritizing LSPs
- Allowing IGP Traffic to Use an LSP
- Installing LSPs into the Unicast Routing Table
- Tracing RSVP Operations
VPNs
- Introduction
- Setting Up a Simple Layer 3 VPN
- Viewing the VPN Routing Tables
- Adding a VPN for a Second Customer
IP Multicast
- Introduction
- Configuring PIM-SM
- Manually Establishing a PIM-SM RP
- Using Auto-RP to Dynamically Map RPs
- Setting Up a PIM-SM Bootstrap Router
- Filtering PIM-SM Bootstrap Messages
- Configuring Multiple RPs in a PIM-SM Domain with Anycast RP
- Configuring Multiple RPs in a PIM-SM Domain Anycast PIM
- Limiting the Group Ranges an RP Services
- Viewing Multicast Routes
- Checking the Groups for Which a PIM-SM Router Maintains Join State
- Manually Configuring IGMP
- Using SSM
- Connecting PIM-SM Domains Using MSDP and MBGP
- Configuring PIM-DM
- Tracing PIM Packets
EAN: 2147483647
Pages: 290
