Internet attacks are raging-get a bulletproof vest for your network equipment! 02/23 Update SLTechnology News&Howtos

Internet attacks are raging-get a bulletproof vest for your network equipment!

2025-02-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Cyber attackers are everywhere.

In January 2018, everyone was as busy as usual, the rumbling fans in the IT equipment room were noisy and loud, and everything seemed so normal.

However, if you look at the digital world in the device from a different perspective, the landscape is completely different. The undercurrent of the data packet is surging, scrambling to reach the end of the world.

As the saying goes, where there are people, there are rivers and lakes. And the Internet world, which is manipulated by people, will inevitably kill people everywhere.

Look at the picture above. This is not the picture I posted on my personal PS. It is a real world-class network attack traffic map. All kinds of traffic across borders affect every Internet device.

In the case that the personal computer cannot escape the claws of the network attack, how can the network equipment be left alone?

It's impossible. Network equipment is also one of the targets of the attacker, and it's an important target, unless you unplug the power cord.

This is like hitting a snake at seven inches. If the attacker wants to create a wide range of Internet failures, it is much cheaper to take down the network equipment than to try to conquer each terminal target.

Boss, give me a bulletproof vest for my network equipment!

How to avoid being captured by × × people, do security reinforcement ah! If we have the ability, we will put on a gold bell cover iron cloth shirt and it will be bulletproof.

How to strengthen the security of network equipment? Common practices:

I believe that the first thing that comes to mind of many friends is to use a method similar to ACL access control list, allowing only trusted administrators to access management devices, restricting specific protocols, and so on.

A router or switch interface is configured with ACL to allow specific traffic. Restrict the use of SSH, HTTPS and other access devices on specific network segments. Is that enough?

1. How to limit the in-band and out-of-band security of network devices?

two。 How to allow only a specific source address to connect to a device protocol, such as BGP, etc.?

3. Are unnecessary network services turned off?

4. Is device logging properly configured, recording device login records and other network management traces?

5. Is the configuration saved periodically to avoid unexpected failures?

I'm Tuhao. I'm looking for a security scan from a third-party security company.

Or, if you are a rich man, you can go directly to a third-party security company to do a security scan and rectify it according to the evaluation report. But it will cost a lot of money.

I am a mobile user, do it by myself, a shuttle!

In fact, in addition to spending money, we can also choose to solve problems ourselves, on the one hand, save the company's costs, but also exercise personal skills. Why not do such a good thing?

Therefore, in order to meet the needs of some local tycoons in Grandet, we should conscientiously implement the spirit of do-it-yourself and adequate food and clothing. This paper specially summarizes a set of thinking method of network equipment security reinforcement for your reference.

Throw a brick to attract jade, take Juniper as an example to teach you step by step network equipment security reinforcement.

Since we want to discuss network equipment reinforcement, we need to take a specific product as the display object, because I have used Juniper equipment for a long time, so I will take its products as an example to tell you.

At the same time, it should be noted that the following content is not limited to Juniper devices, in addition to understanding the reinforcement of Juniper, the most important thing is to understand this way of thinking and apply it to the corresponding manufacturers around you.

Basic skills: ensure that there is no significant bug in the equipment software and install the manufacturer's recommended OS operating system to pay real-time attention to the system bug

This step is particularly important, but it is extremely easy to ignore.

Flies don't bite seamless eggs, and neither do cyber attacks. If the attacker is just staring at the network security that everyone will pay attention to, such as trying to take a chance on the telnet login device, etc. Then the level of this person is questionable.

So the real attacker is to attack system Bug vulnerabilities that he knows but you don't. Obviously, it is necessary to grasp the system bug vulnerabilities in real time. Take myself, for example. Every once in a while, I go to see if there is a major bug in the JUNOS software that the current Juniper device is running, and then make suggestions for repair. The leader will think you are very far-sighted and raise your salary. )

How to check JUNOS system vulnerabilities

Method 1: check the Juniper website bug library: https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

Method 2: check the Juniper website Problem Search software bug library: https://prsearch.juniper.net

By regularly consulting the Bug information of the JUNOS system you use and taking relevant measures according to Juniper recommendations, you can greatly avoid the problem of network outage caused by the system bug.

Install the OS operating system recommended by the manufacturer

This step is easy to understand. In general, network equipment manufacturers will recommend that you use a certain version of the OS system. It is based on the statistics of manufacturers and customer feedback summary, manufacturers think that this version of the system is relatively stable, bug is relatively less.

Juniper manufacturer recommends OS system summary

Https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&actp=METADATA

I can't keep the body, so what's the soul: the physical security of the equipment?

What is physical device security? physical device security includes but is not limited to the following:

The physical environment of the equipment is secure. The actual port and interface of the equipment are secure. The device display is secure. Physical environment security of equipment

Network equipment is generally installed on a specific rack in the computer room. However, if the security environment of the computer room is poor, people can enter the computer room at any time to move the network equipment that is already on the network, or implement power outages, plug and unplug cables and other operations. Then all other security issues are floating clouds.

Just as a girl in love always says to a boy, "if you can't even give me a basic sense of security, you won't talk about love at all."

So, engineers, buy a better "house" for your network equipment and order sense of security for them. For example, as mentioned in my previous OOB article "Building an out-of-band OOB network", the rack door lock + sensor is used to ensure the security of the device.

Device port security Console interface security

The Console interface is used as the management interface of the device. In terms of importance, no other in-band and out-of-band management can be compared with it.

In the daily operation and maintenance, it is inevitable to go to the site to debug the equipment through console. When engineers log in to the device with console, they often forget to log out of the system with logout. Instead, pull out the console cable directly. The harm is that other people can then plug in through the console login device without any verification and directly use the authority of the previous user to perform various operations on the network device through console.

In other words, if the previous engineer logs in using a root account, the subsequent attacker is also in root mode and can take the device offline, restart, shut down and other major operations at any time.

Security setting recommendation

1. Enable the logout-on-disconnect feature and log out of the current user directly after removing the console line.

[edit system ports]

GingerBeer@Juniper# set console log-out-on-disconnect

two。 Do not log in using root account on the console interface.

[edit system ports]

GingerBeer@Juniper# set console insecure

3. Tough move: shut down the console interface. In some specific cases, such as when the physical environment of the device cannot be guaranteed, in order to avoid malicious use of console to guess passwords or perform other tasks, you can directly shut down the console interface.

[edit system ports]

GingerBeer@Juniper# set console disable

Auxiliary interface and device board diagnostic interface security

Auxiliary Port auxiliary interface

The auxiliary interface is usually used by few people. It has two main functions. The first is that an external modem can be connected to the remote location after dialing through the modem, and the remote device can be managed through this modem. The secondary interface can sometimes be used as a second console.

Since everyone doesn't use it usually, it's best to turn it off. Take Junos as an example. Junos shuts down the Auxiliary interface by default, although it can't be seen in the configuration. However, from a security point of view, the shutdown Auxiliary secondary interface can be explicitly configured.

Explicitly shut down the secondary interface

[edit system ports]

GingerBeer@Juniper# set auxiliary disable

Board diagnostic interface

For high-end routers or switches, there are usually two Routing Engine routing engine cards, two fabric boards and multiple service cards.

On the fabric board, there will be something similar to the console interface of the routing engine. Its significance is that if there are some faults that need to be diagnosed from the board level, the information can be collected by connecting the diagnosis port of the exchange card.

From a security perspective, diagnostic interfaces generally do not have a password. Yes, you read it correctly, there is no-secret-size.

Take Juniper as an example, some SCB,SSB,SFM, Feb cards will have this diagnostic interface. From a security point of view, we should set up password authentication for him.

Diagnostic interface settings password authentication

The setting method is as follows:

[edit system]

GingerBeer@Juniper# set diag-port-authentication plain-text-password

New password:

Retype new password:

[edit system]

GingerBeer@Juniper# set pic-console-authentication plain-text-password

New password:

Retype new password:

[edit system]

GingerBeer@Juniper#

USB interface security

USB provides convenient file transfer and storage extensions, and you can consider turning it off based on your security requirements.

[edit chassis]

GingerBeer@Juniper# show

Usb {

Storage {

Disable

}

[edit chassis]

GingerBeer@Juniper#

Device display screen security

This is interesting. On some switches, there will be a small monochrome LCD screen, usually with a few small buttons next to it. Don't underestimate this LCD display. Through this screen, you can perform some basic system maintenance and control functions, such as offline card, reset system configuration and so on. So if we don't use its function often, we can choose to turn off the operation function of the LCD screen.

Lock the LCD screen operation function, only watch, do not touch!

[edit]

GingerBeer@Juniper# set chassis craft-lockout

Make the system simple and shut down unnecessary services

Generally speaking, it is similar to devices such as routers, switches and even firewalls. Its security is higher than that of the server, because network devices generally turn on far fewer services by default.

Now that security reinforcement is done, we need a spirit of picking bones in an egg. Let's see what unnecessary services can be turned off on network equipment.

Turn off the automatic installation configuration service

In the initial environment of many Juniper devices, in order to meet the needs of automation, such as mass configuration of devices. The automatic installation configuration feature is enabled by default. From a security perspective, if you don't need this feature, you can choose to turn it off.

Turn off automatic installation

[edit]

GingerBeer@Juniper# delete system autoinstallation

Juniper SRX only, turn off automatic installation from USB

[edit]

GingerBeer@Juniper# set system autoinstallation usb disable

Turn off ICMP redirection

ICMP redirection is a notification sent by a router to the sender of an IP packet to inform them of a better way to reach a specific destination host or network. After receiving the redirection, the source device should modify the way it routes and then send subsequent packets through the next hop recommended by the router.

Attackers can take advantage of the ICMP redirection to send a large number of non-optimal routing packets to the router, prompting the router to return thousands of ICMP redirects, thus realizing DDOS***.

However, in a well-designed network environment, ICMP redirection information is not needed and should not appear, so we can turn it off.

Similar to other vendors, Juniper's Junos enables ICMP redirection by default.

Turn off ICMP redirection

[edit]

GingerBeer@Juniper# set system no-redirects

Prohibit TCP malicious flag and TCP detection

TCP malicious flag

Let's start with TCP malicious flag. We all know that SYN or FIN flag tags are used in the normal TCP negotiation process, SYN is used to establish TCP, and FIN is used to dismantle TCP sessions.

But no normal packet would put both SYN and FIN in the tag flag, because the logic is contradictory.

However, someone will deliberately create this packet, and send a large number of invalid packets to create DOS attacks, and learn the operating system information of the target device.

We can configure JUNOS to discard invalid data with both SYN and FIN fields without responding.

The configuration is as follows:

{master:0} [edit]

GingerBeer@Juniper# set system internet-options tcp-drop-synfin-set

TCP probe

In order to detect the port opening range and status of the target network device, the attacker can send a large number of TCP-SYN connection requests and know the port opening by looking at the reply message of the network device.

In the case of high-intensity scanning, the load on network devices will increase, resulting in DOS attacks.

* * configure JUNOS not to reply TCP-RST to unopened ports, so that attackers cannot know whether this port is open or not.

{master:0} [edit]

GingerBeer@Juniper# set system internet-options tcp-drop-synfin-set

Rational use of LLDP neighbor Discovery

LLDP, similar to Cisco's CDP. It's just a neighbor discovery protocol standardized by IEEE. Since it is discovered by the neighbors, it will naturally completely expose the details of the network device itself. So it is a network security preference to turn on LLDP only on the required ports.

The examples are as follows:

In the following example, LLDP is turned off by default on all interfaces, except for the required ge-0/0/0 & ge-0/0/3 interface.

[edit]

GingerBeer@Juniper# edit protocols lldp

[edit protocols lldp]

GingerBeer@Juniper# set interface all disable

[edit protocols lldp]

GingerBeer@Juniper# set interface ge-0/0/0.0

[edit protocols lldp]

GingerBeer@Juniper# set interface ge-0/0/3.0

There is no trace in the snow? No way-turn on Syslog log to monitor user activity records.

As far as the operation and maintenance staff are concerned, we want to be able to see the user's every move after logging on to the network device, such as which account logged in and what commands he executed after logging in.

With such a function, it is like installing an invisible camera on a network device to monitor the login user's every move. At the same time, it also acts as a deterrent.

Juniper's Junos is very good at logging. It can pick out the information you need from all the log records and store it on a specific file or syslog server according to the user's needs.

The configuration is as follows:

Set system syslog file interactive-commands interactive-commands any

Set system syslog file authorization authorization info

View the user login record:

Show log authorization

The effect is as follows:

Jan 20 01:17:08 GingerBeer-RTR01 sshd [11590]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: ro

Jan 20 01:17:08 GingerBeer-RTR01 sshd [11590]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: Gingerbeer

Jan 20 01:17:08 GingerBeer-RTR01 sshd [11590]: Accepted password for Gingerbeer from 1.2.3.4 port 12345 ssh3

Jan 20 01:21:10 GingerBeer-RTR01 sshd [11777]: (pam_sm_acct_mgmt): DEBUG: PAM_USER: ro

Jan 20 01:21:10 GingerBeer-RTR01 sshd [11777]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: Gingerbeer

Jan 20 01:21:10 GingerBeer-RTR01 sshd [11775]: Accepted keyboard-interactive/pam for Gingerbeer from 12345 port 12345 ssh3

Jan 20 01:21:10 GingerBeer-RTR01 sshd [11775]: Received disconnect from 1.2.3.4: 11: PECL/ssh3 (http://pecl.php.net/packages/ssh3)

Jan 20 01:21:10 GingerBeer-RTR01 sshd [11775]: Disconnected from 1.2.3.4

View the user's command execution record:

Show log interactive-commands | last

The effect is as follows:

Jan 20 07:52:30 GingerBeer-RTR01 mgd [30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command' show interfaces terse'

Jan 20 07:53:03 GingerBeer-RTR01 mgd [30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command' show route'

Jan 20 07:53:37 GingerBeer-RTR01 mgd [30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command' show configuration | display set | no-more'

Jan 20 07:53:56 GingerBeer-RTR01 mgd [30631]: UI_CMDLINE_READ_LINE: User 'Gingerbeer', command' show log interactive-commands | last

Automatically back up device configuration

There is no doubt that the most valuable information about the configuration of network equipment is it. I have seen a lot of engineer friends in a hurry after the network equipment down fell off, just because there is no regular backup configuration. I can't even find a replacement for the equipment.

In Juniper's Junos, it is a very simple thing to back up the configuration automatically.

The settings are as follows:

[edit system archival configuration]

GingerBeer@Juniper# show

Transfer-interval 1440

Archive-sites {

"scp://Gingerbeer@1.2.3.4:/Configs" password "$9 $EGCyMCVb1JGnev2aajPf359AO1"; # # SECRET-DATA

}

A brief interpretation of the above settings shows that every 24 hours the router sends the current configuration via SCP to the 1.2.3.4 server.

Turn off unsafe system services

The so-called insecure system services refer to those that are transmitted in clear text during transmission. Therefore, it is extremely easy to be intercepted by the middleman to obtain the login right of the system and so on.

For example, the following services:

1. Turn off Berkeley "r"

[edit system services]

GingerBeer@Juniper# delete rsh

[edit system services]

GingerBeer@Juniper# delete rlogin

two。 Turn off FTP:

[edit system services]

GingerBeer@Juniper# delete ftp

3. Turn off Finger:

[edit system services]

GingerBeer@Juniper# delete finger

4. Turn off Telnet:

[edit system services]

GingerBeer@Juniper# delete telnet

5. Close the J-web logged in through HTTP:

[edit system services]

GingerBeer@Juniper# delete web-management http

6. Turn off Reverse Telnet:

[edit system services]

GingerBeer@Juniper# delete reverse telnet

7. Turn off clear-text Junoscript access:

[edit system services]

GingerBeer@Juniper# delete xnm-clear-text

8. Turn off TFTP server:

[edit system services]

GingerBeer@Juniper# delete tftp-server

Set user login parameters.

This step can be regarded as an addition, and the system usually has a default value. And you can modify it to a specific value according to the needs of your own network.

Case of setting user login parameters

{master:0} [edit system login retry-options]

GingerBeer@Juniper# show

Tries-before-disconnect 3; # # try up to 3 times before disconnecting

Backoff-threshold 1; # if the user fails to log in once because of a password, the user login wait time will be started.

Backoff-factor 6; # defines the waiting time for users to log in.

Minimum-time 30; # wait 30 seconds for the user to type a password

Maximum-time 60; # when a user logs in to the device by ssh or other means, wait 60 seconds before the user types a user name and password. The tcp connection terminates after a timeout.

Lockout-period 10; # lock the user name for 10 minutes after the user fails to log in for more than the number of times specified above.

The grand finale, routing engine protection design logic

The above settings only protect part of the function, but if you want to protect the entire router. It still depends on a complex and comprehensive routing engine protection mechanism.

Don't make up some nouns to fool people, but also the grand finale, to put it bluntly, it is a set of ACL access lists to restrict the traffic to the routing engine.

Don't worry, ACL also has its advanced routines, otherwise how can it be called "design"?

Analysis of Design ideas

First, we need to divide the traffic arriving at the router into two main categories:

1. Management traffic

two。 Protocol traffic

Second, list all the protocols for the above two types of traffic.

Examples are as follows:

Manage traffic, usually SSH,SNMP,NTP,Radius,ICMP and traceroute.

Because ACL is non-stateful. In other words, for router traffic to the outside world, there also needs to be an entry to allow it to return traffic. For example, Radius requests a reply. (very important)

Protocol traffic, usually OSPF,RIP,BGP. Or the LDP,RSVP of the MPLS class.

According to the protocol port characteristics, write out the open source and destination ports in the entry.

After the analysis, let's take a look at the compilation of a case, look at the case is the most real.

Juniper Firewall Policy compiles cases and parses.

Entry note: the first article to prevent TCP SYN flooding attacks, first match all BGP neighbor addresses, as well as management addresses. Then the TCP field is SYN or Fin or RST, but does not contain the TCP packet of SYN ACK. Finally, use the Policer of QOS to limit the burst up to 100k.

Set firewall family inet filter protect-re term synflood-protect from source-prefix-list bgp-neighbors

Set firewall family inet filter protect-re term synflood-protect from source-prefix-list mgmt-nets

Set firewall family inet filter protect-re term synflood-protect from protocol tcp

Set firewall family inet filter protect-re term synflood-protect from tcp-flags "(syn &! ack) | fin | rst"

Set firewall family inet filter protect-re term synflood-protect then policer limit-100k

Set firewall family inet filter protect-re term synflood-protect then accept

Additional configuration:

Set policy-options prefix-list bgp-neighbors apply-path "protocols bgp group neighbor"

This command is used to automatically match the IP addresses of all global BGP neighbors. Mom no longer has to worry that I need to match addresses one by one!

Set policy-options prefix-list ipv4-interfaces apply-path "interfaces unit family inet address"

This command is used to automatically match all IPv4 addresses configured on the router device.

PS, some friends may not understand these fun and efficient features of Junos, so please move on to another Juniper JUNOS technical article I wrote earlier: enter phobia? 13 JUNOS tips to help you easily configure your network

Entry note: the second is to allow the next-door neighbor Lao Wang to initiate BGP to this router, and the destination address range is the IP address of all local routers. Note that one is "destination-port", and the target port is 179. Because this Firewall Policy is ultimately applied to the incoming direction of the routing engine, the destination port 179 is directed towards the router itself.

Set firewall family inet filter protect-re term allow-bgp from source-prefix-list bgp-neighbors

Set firewall family inet filter protect-re term allow-bgp from destination-prefix-list ipv4-interfaces

Set firewall family inet filter protect-re term allow-bgp from protocol tcp

Set firewall family inet filter protect-re term allow-bgp from destination-port bgp

Set firewall family inet filter protect-re term allow-bgp then accept

Item note: the third article is to allow OSPF protocol

Set firewall family inet filter protect-re term allow-ospf from source-prefix-list ipv4-interfaces

Set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ospf-allrouters

Set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ipv4-interfaces

Set firewall family inet filter protect-re term allow-ospf from protocol ospf

Set firewall family inet filter protect-re term allow-ospf then accept

Item note: the fourth is to allow SSH protocol, and through the Policer speed limit up to 10Mbps SSH traffic, the normal ssh management traffic generally will not exceed this value

Set firewall family inet filter protect-re term allow-ssh from source-prefix-list mgmt-nets

Set firewall family inet filter protect-re term allow-ssh from protocol tcp

Set firewall family inet filter protect-re term allow-ssh from destination-port ssh

Set firewall family inet filter protect-re term allow-ssh then policer limit-10m

Set firewall family inet filter protect-re term allow-ssh then accept

Item note: article 5 allows SNMP protocol, speed limit 1Mbps

Set firewall family inet filter protect-re term allow-snmp from source-prefix-list snmp-servers

Set firewall family inet filter protect-re term allow-snmp from protocol udp

Set firewall family inet filter protect-re term allow-snmp from destination-port snmp

Set firewall family inet filter protect-re term allow-snmp then policer limit-1m

Set firewall family inet filter protect-re term allow-snmp then accept

Item note: article 6 allows NTP protocol, speed limit 32kbps

Set firewall family inet filter protect-re term allow-ntp from source-prefix-list ntp-servers

Set firewall family inet filter protect-re term allow-ntp from source-prefix-list localhost

Set firewall family inet filter protect-re term allow-ntp from protocol udp

Set firewall family inet filter protect-re term allow-ntp from destination-port ntp

Set firewall family inet filter protect-re term allow-ntp then policer limit-32k

Set firewall family inet filter protect-re term allow-ntp then accept

Item note: article 7 allows Radius protocol, speed limit 32kbps

Set firewall family inet filter protect-re term allow-radius from source-prefix-list radiusservers

Set firewall family inet filter protect-re term allow-radius from protocol udp

Set firewall family inet filter protect-re term allow-radius from source-port radius

Set firewall family inet filter protect-re term allow-radius then policer limit-32k

Set firewall family inet filter protect-re term allow-radius then accept

Item note: article 8 is to restrict ICMP sharding package

Set firewall family inet filter protect-re term icmp-frags from is-fragment

Set firewall family inet filter protect-re term icmp-frags from protocol icmp

Set firewall family inet filter protect-re term icmp-frags then syslog

Set firewall family inet filter protect-re term icmp-frags then discard

Item note: article 9 is to allow common ICMP messages and speed limit 1Mbps

Set firewall family inet filter protect-re term allow-icmp from protocol icmp

Set firewall family inet filter protect-re term allow-icmp from icmp-type echo-request

Set firewall family inet filter protect-re term allow-icmp from icmp-type echo-reply

Set firewall family inet filter protect-re term allow-icmp from icmp-type unreachable

Set firewall family inet filter protect-re term allow-icmp from icmp-type time-exceeded

Set firewall family inet filter protect-re term allow-icmp then policer limit-1m

Set firewall family inet filter protect-re term allow-icmp then accept

Item note: article 10 is to allow common Traceroute messages and speed limit 1Mbps

Set firewall family inet filter protect-re term allow-traceroute from protocol udp

Set firewall family inet filter protect-re term allow-traceroute from destination-port 33434-33523

Set firewall family inet filter protect-re term allow-traceroute then policer limit-1m

Set firewall family inet filter protect-re term allow-traceroute then accept

Entry note: article 11 allows the router-initiated SSH,BGP to be allowed to return to the router. As mentioned earlier, the Firewall policy of Juniper is the ACL of Cisco, and there is no session state, so the traffic returning to the router needs to be clearly specified. Parallel speed limit 10Mbps

Set firewall family inet filter protect-re term tcp-established from protocol tcp

Set firewall family inet filter protect-re term tcp-established from source-port ssh

Set firewall family inet filter protect-re term tcp-established from source-port bgp

Set firewall family inet filter protect-re term tcp-established from tcp-established

Set firewall family inet filter protect-re term tcp-established then policer limit-10m

Set firewall family inet filter protect-re term tcp-established then accept

Item note: article 12 is easy to understand, except for all the traffic specified above, all other traffic is discarded. Does not respond to ICMP unreachable messages.

Set firewall family inet filter protect-re term default-deny then log

Set firewall family inet filter protect-re term default-deny then syslog

Set firewall family inet filter protect-re term default-deny then discard

Application strategy

On Juniper devices, the lo0 interface is cleverly designed, except for common functions such as router-id, or interfaces that never down. More importantly, it is a special channel to the routing engine. If you want to limit traffic to the routing engine, instead of using control-plane policy for Cisco, you only need to bind a Firewall policy to the lo0 of Juniper.

After completing the configuration of the firewall policy, let's apply the policy to the return lo0 interface, thus limiting the traffic to the routing engine.

Set interfaces lo0 unit 0 family inet filter input protect-re