JUNOS Software Default Settings for Router Security
The JUNOS Software protects
against common router security weaknesses with the following default
settings:
The JUNOS Software does not forward directed broadcast
messages. Directed broadcast services send ping requests from a spoofed
source address to a broadcast address and can be used to attack other
Internet users. For example, if broadcast ping messages were allowed
on the 200.0.0.0/24 network, a single ping request could
result in up to 254 responses to the supposed source of the ping.
The source would actually become the victim of a denial-of-service
(DoS) attack.
Only console access to the router is enabled by default.
Remote management access to the router and all management access protocols,
including Telnet, FTP, and SSH (Secure Shell), are disabled by default.
The JUNOS Software does not support the SNMP set capability
for editing configuration data. Although the software supports the
SNMP set capability for monitoring and troubleshooting the network,
this support exposes no known security issues. (You can configure
the software to disable this SNMP set capability.)
The JUNOS Software ignores martian addresses that contain
the following prefixes: 0.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24, 223.255.55.0/24, and 240.0.0.0/4. Martian addresses
are reserved host or network addresses about which all routing information
should be ignored.
