Junos OS Default Settings for Device Security
Junos OS protects against common network device security weaknesses with the following default settings:
Junos OS does not forward directed broadcast messages. Directed broadcast services send ping requests from a spoofed source address to a broadcast address and can be used to attack other Internet users. For example, if broadcast ping messages were allowed on the 126.96.36.199/24 network, a single ping request could result in up to 254 responses to the supposed source of the ping. The source would actually become the victim of a denial-of-service (DoS) attack.
Generally, by default, only console access to the device is enabled. Remote management access to the device and all management access protocols, including Telnet, FTP, and SSH (Secure Shell), are disabled by default, unless the device setup specifically includes a factory-installed DHCP configuration.
Junos OS does not support the SNMP set capability for editing configuration data. Although the software supports the SNMP set capability for monitoring and troubleshooting the network, this support exposes no known security issues. (You can configure the software to disable this SNMP set capability.)
Junos OS ignores martian (intentionally non-routable) IP addresses that contain the following prefixes: 0.0.0.0/8, 127.0.0.0/8, 188.8.131.52/16, 184.108.40.206/16, 192.0.0.0/24, 220.127.116.11/24, and 240.0.0.0/4. Martian addresses are reserved host or network addresses about which all routing information should be ignored.