Securing Router ::: Templates

All router connected to the network need to be harden to limiting impact of attacks. Your router must be secure from malicious attacker.

Link below show security template of Juniper router. You can modify it and apply it for your own.

Click here And Here (Firewall)

In the Juniper router, you have to put firewall filter into looback lo0 address. Lo0 located in the Routing Engine (RE) which is become main target for attacker. So, put firewall in the RE is good choices for us.

Packet Forwarding Engine (PFE) are connected to Routing Engine (RE) using Ethernet interface either FE or GE. It would be a good idea to rate limiting all traffic coming from PFE to RE. Packets like Telnet, SSH, ICMP, FTP are forwarded to RE (Include as exception packet). So, you have to limiting all those packets before someone use it as a security hole. Usually, I put 1Mb policer and aplied it to traffic like ICMP and Traceroute. If the traffics through the router more than 1Mb, it will be discarded.

Policer configuration:

    policer radius-policer {

        if-exceeding {

            bandwidth-limit 1m;

            burst-size-limit 15k;

        }

        then discard;

    }

This policer combine with specific ICMP or Traceroute terms:

        term trace-route {

            from {

                protocol udp;

                destination-port 33434-33523;

            }

            then {

                policer small-bandwidth-policer;

                accept;

            }

        }

Limiting SSH and Telnet are simply put source address permitted to routers. The template is like this one:

        term ABCD {

            from {

                source-prefix-list {

                    radius-addresses|telnet-address|ssh-address;

                }

                protocol udp|tcp;

                port radius|telnet|ssh;

            }

            then {

                policer radius-policer;

                accept;

            }

        }

Templates above are used to remote access router. It configure under ABCD term. ABCD term contains source-prefix-list which is needed and configured under policy-options stanza. It means that all packets from source-address (from prefix list) radius-address|telnet-address|ssh-address are allowed to do remote and SSH, Telnet or AAA checking using Radius. If the source address doesn’t match, it will discards.

I won’t explain all term and configuration of Juniper security. You could read it from the link I gave you above.

Another good sources coming from Cymru.

Please click below to show their templates:

Cymru Junos Template

You can read it, and then remake it for your own.

::: Securing all router is must and mandatory for all live routers :::