Security Configuration Example
> Example: Consolidated Security Configuration
Basic System Information
system {
host-name Secure-Router;
domain-name company.com;
default-address-selection;
RADIUS
authentication-order [ radius password ];
root-authentication {
encrypted-password "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA
}
name-server {
10.1.1.1;
10.1.1.2;
}
radius-server {
10.1.2.1 {
secret "$9$aH1j8gqQ1sdjerrrhser"; # SECRET-DATA
timeout 5;
}
10.1.2.2 {
secret "$9$aH1j8gqQ1csdoiuardwefoiud"; # SECRET-DATA
timeout 5;
}
}
Login Classes
login {
class observation {
idle-timeout 5;
permissions [ view ];
}
class operation {
idle-timeout 5;
permissions [ admin clear configure interface interface-control network
reset routing routing-control snmp snmp-control trace-control
firewall-control rollback ];
}
class engineering {
idle-timeout 5;
permissions all;
}
User Login Accounts
user admin {
uid 1000;
class engineering;
authentication {
encrypted-password "<PASSWORD>"; # SECRET-DATA
}
}
RADIUS Template Accounts
user observation {
uid 1001;
class observation;
}
user operation {
uid 1002;
class operation;
}
user engineering {
uid 1003;
class engineering;
}
}
Connection Services
services {
ssh connection-limit 10 rate-limit 4;
}
System Logging
syslog {
file messages {
any notice;
authorization info;
daemon any;
kernel any;
archive size 10m files 5 no-world-readable;
}
file authorization-commands {
authorization any;
interactive-commands any;
}
file firewall-logs {
firewall any;
}
}
Time Source
ntp {
authentication-key 2 type md5 value "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; \
# SECRET-DATA
boot-server 10.1.4.1;
server 10.1.4.2;
}
}
Interfaces
interfaces {
at-4/0/0 {
description core router;
atm-options {
vpi 0 maximum-vcs 1024;
ilmi;
}
unit 131 {
description to-other-core-router;
encapsulation atm-snap;
point-to-point;
vci 0.131;
family inet {
address 12.1.1.1/30;
}
family iso;
}
}
fxp0 {
disable;
}
lo0 {
unit 0 {
family inet {
filter {
input protect-routing-engine;
}
address 10.10.5.1/32;
}
family iso {
address 48.0005.80dd.f900.0000.0001.0001.0000.0000.011.00;
}
}
}
so-2/0/0 {
description To-other-router;
clocking external;
sonet-options {
fcs 32;
payload-scrambler;
}
unit 0 {
family inet {
address 10.1.5.1/30;
}
family iso;
}
}
}
SNMP
[edit snmp]
engine-id {
use-fxp0-mac-address;
}
view jnxAlarms {
oid .1.3.6.1.4.1.2636.3.4 include;
}
view interfaces {
oid .1.3.6.1.2.1.2 include;
}
view ping-mib {
oid .1.3.6.1.2.1.80 include;
}
[edit snmp v3]
notify n1 {
tag router1; # Identifies a set of target addresses
type trap; # Defines type of notification
}
notify n2 {
tag host1;
type trap;
}
notify-filter nf1 {
oid 1 include; # Defines which (or the objects for which) traps
} # are sent. In this case, includes all traps.
notify-filter nf2 {
oid 1.3.6.1.4.1 include; # Sends enterprise-specific traps only
}
notify-filter nf3 {
oid 1.3.6.1.2.1.1.5 include; # Sends BGP traps only
}
snmp-community index1 {
community-name "$9$JOZi.QF/AtOz3"; # SECRET-DATA
security-name john; # Matches the security name at the target parameters
tag host1; # Finds the addresses that can be used with
} # this community string
target-address ta1 { # Associates the target address with the group san-francisco
address 10.1.1.1;
address-mask 255.255.255.0; # Defines the range of addresses
port 162;
tag-list router1;
target-parameters tp1; # Applies configured target parameters
}
target-address ta2 {
address 10.1.1.2;
address-mask 255.255.255.0;
port 162;
tag-list host1;
target-parameters tp2;
}
target-address ta3 {
address 10.1.1.3;
address-mask 255.255.255.0;
port 162;
tag-list [router1 host1];
target-parameters tp3;
}
target-parameters tp1 { # Defines the target parameters
notify-filter nf1; # Specifies which notify filter to apply
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john; # Matches the security name configured at the
} # edit snmp v3 snmp-community community-index
} # hierarchy level
target-parameters tp2 {
notify-filter nf2;
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john;
}
}
target-parameters tp3 {
notify-filter nf3;
parameters {
message-processing-model v1;
security-model v1;
security-level none;
security-name john;
}
}
usm {
local-engine { #Defines authentication and encryption for SNMP3 users.
user user1 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-des {
privacy-password privacy-password;
}
}
user user2 {
authentication-sha {
authentication-password authentication-password;
}
privacy-none;
}
user user3 {
authentication-none;
privacy-none;
}
user user4 {
authentication-md5 {
authentication-password authentication-password;
}
privacy-3des {
privacy-password password;
}
}
user user5 {
authentication-sha {
authentication-password authentication-password;
}
privacy-aes128 {
privacy-password password;
}
}
}
}
vacm {
access {
group san-francisco { # Defines the access privileges for the group
default-context-prefix { # san-francisco
security-model v1 {
security-level none {
notify-view ping-mib;
read-view interfaces;
write-view jnxAlarms;
}
}
}
}
}
security-to-group {
security-model v1 {
security-name john { # Assigns john to the security group
group san-francisco; # san-francisco
security-name bob {
group new-york;
}
security-name elizabeth {
group chicago;
}
}
}
}
}
Protocol-Independent Routing Properties
routing-options {
router-id 10.1.7.1;
autonomous-system 222;
martians {
1.0.0.0/8 exact;
10.0.0.0/8 exact;
19.255.0.0/16 exact;
59.0.0.0/8 exact;
129.156.0.0/16 exact;
172.16.0.0/12 exact;
192.0.2.0/24 exact;
192.5.0.0/24 exact;
192.9.200.0/24 exact;
192.9.99.0/24 exact;
192.168.0.0/16 exact;
224.0.0.0/3 exact;
}
}
Routing Protocols
protocols {
BGP
bgp {
group ibgp {
type internal;
traceoptions {
file bgp-trace size 1m files 10;
flag state;
flag general;
}
local-address 10.10.5.1;
log-updown;
neighbor 10.2.1.1;
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";
}
group ebgp {
type external;
traceoptions {
file ebgp-trace size 10m files 10;
flag state;
flag general;
}
local-address 10.10.5.1;
log-updown;
peer-as 2;
neighbor 10.2.1.2;
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";
}
}
IS-IS
isis {
authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA
authentication-type md5;
traceoptions {
file isis-trace size 10m files 10;
flag normal;
flag error;
}
interface at-0/0/0.131 {
lsp-interval 50;
level 2 disable;
level 1 {
metric 3;
hello-interval 5;
hold-time 60;
}
}
interface lo0.0 {
passive;
}
}
Firewall Policies
policy-options {
prefix-list ssh-addresses {
1.1.9.0/24
}
prefix-list bgp-addresses {
10.2.1.0/24;
}
prefix-list ntp-addresses {
10.1.4.0/24
}
prefix-list snmp-addresses {
10.1.6.0/24;
}
prefix-list dns-addresses {
10.1.1.0/24;
}
prefix-list radius-addresses {
10.1.2.0/24;
}
}
Firewall Filters
firewall {
filter protect-routing-engine {
term icmp {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer small-bandwidth-policer;
accept;
}
}
term tcp-connection {
from {
source-prefix-list {
ssh-addresses;
bgp-addresses;
}
protocol tcp;
tcp-flags "(syn & !ack) | fin | rst";
}
then {
policer tcp-policer;
accept;
}
}
term ssh {
from {
source-prefix-list {
ssh-addresses;
}
protocol tcp;
port [ ssh telnet ];
}
policer ssh-policer;
then accept;
}
term bgp {
from {
source-prefix-list {
bgp-addresses;
protocol tcp;
port bgp;
}
then accept;
}
term snmp {
from {
source-prefix-list {
snmp-addresses;
}
protocol udp;
port snmp;
}
then {
policer snmp-policer;
accept;
}
}
term ntp {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
port ntp;
}
then {
policer ntp-policer;
accept;
}
}
term dns {
from {
source-address {
dns-addresses;
}
protocol udp;
port domain;
}
then {
policer dns-policer;
accept;
}
}
term radius {
from {
source-prefix-list {
radius-addresses;
}
protocol udp;
port radius;
}
then {
policer radius-policer;
accept;
}
}
term trace-route {
from {
protocol udp;
destination-port 33434-33523;
}
then {
policer small-bandwidth-policer;
accept;
}
}
term everything-else {
then {
syslog;
log;
discard;
}
}
}
policer ssh-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer small-bandwidth-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer snmp-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer ntp-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer dns-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer radius-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
policer tcp-policer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}
then discard;
}
}