[an error occurred while processing this directive][an error occurred while processing this directive]

Example: Consolidated Security Configuration

This topic provides a complete example of configuring various security features available in the JUNOS Software to secure your router:

Configuring Basic System Information

system {host-name Secure-Router; domain-name company.com; default-address-selection; }

Configuring RADIUS Authentication

authentication-order [ radius password ]; root-authentication {encrypted-password "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATA}name-server {10.1.1.1; 10.1.1.2; }radius-server {10.1.2.1 {secret "$9$aH1j8gqQ1sdjerrrhser"; # SECRET-DATAtimeout 5;}10.1.2.2 {secret "$9$aH1j8gqQ1csdoiuardwefoiud"; # SECRET-DATAtimeout 5;}}

Configuring Login Classes

login {class observation {idle-timeout 5;permissions [ view ];}class operation {idle-timeout 5;permissions [ admin clear configure interface interface-control network reset routing routing-control snmp snmp-control trace-control firewall-control rollback ];}class engineering {idle-timeout 5;permissions all;}}

Configuring User Login Accounts

user admin {uid 1000;class engineering;authentication {encrypted-password "<PASSWORD>"; # SECRET-DATA}}

Configuring RADIUS Template Accounts

user observation {uid 1001;class observation;}user operation {uid 1002; class operation;}user engineering { uid 1003;class engineering;}

Configuring SSH Connection Services

services {ssh connection-limit 10 rate-limit 4;}

Configuring System Logging

syslog {file messages {any notice;authorization info;daemon any;kernel any;archive size 10m files 5 no-world-readable;}file authorization-commands {authorization any;interactive-commands any;}file firewall-logs {firewall any;}}

Configuring the Time Source

ntp {authentication-key 2 type md5 value "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; \#  SECRET-DATAboot-server 10.1.4.1;server 10.1.4.2;}

Configuring Interfaces

interfaces {at-4/0/0 {description core router; atm-options {vpi 0 maximum-vcs 1024;ilmi;}unit 131 {description to-other-core-router;encapsulation atm-snap;point-to-point;vci 0.131;family inet {address 12.1.1.1/30;}family iso;}}fxp0 {disable;}lo0 {unit 0 {family inet {filter {input protect-routing-engine;}address 10.10.5.1/32;}family iso {address 48.0005.80dd.f900.0000.0001.0001.0000.0000.011.00;}}}so-2/0/0 {description To-other-router;clocking external;sonet-options {fcs 32;payload-scrambler;}unit 0 {family inet {address 10.1.5.1/30;}family iso;}}}

Configuring SNMP

[edit snmp]engine-id {use-fxp0-mac-address;}view jnxAlarms {oid .1.3.6.1.4.1.2636.3.4 include;}view interfaces {oid .1.3.6.1.2.1.2 include;}view ping-mib {oid .1.3.6.1.2.1.80 include;}[edit snmp v3]notify n1 {tag router1;                # Identifies a set of target addressestype trap;                   # Defines type of notification}notify n2 {tag host1;type trap;}notify-filter nf1 {oid 1 include;                 # Defines which (or the objects for which) traps
# will be sent. In this case, include all traps.
}notify-filter nf2 {oid 1.3.6.1.4.1 include;      # Sends enterprise-specific traps only}notify-filter nf3 {oid 1.3.6.1.2.1.1.5 include;   # Sends BGP traps only}snmp-community index1 {community-name "$9$JOZi.QF/AtOz3";     # SECRET-DATAsecurity-name john;       # Matches the security name at the target parameterstag host1;                   # Finds the addresses that can be used with this community string}target-address ta1 { # Associates the target address with the group san-franciscoaddress 10.1.1.1;address-mask 255.255.255.0; # Defines the range of addressesport 162;tag-list router1;target-parameters tp1; # Applies configured target parameterstarget-address ta2 {address 10.1.1.2;address-mask 255.255.255.0;port 162;tag-list host1;target-parameters tp2;}target-address ta3 {address 10.1.1.3;address-mask 255.255.255.0;port 162;tag-list [router1 host1];target-parameters tp3;}target-parameters tp1 {          # Defines the target parametersnotify-filter nf1;              # Specifies which notify filter to applyparameters {message-processing-model v1;security-model v1;security-level none;security-name john;      # Matches the security name configured at # the [edit snmpv3 snmp-community community-index] hierarchy level}}target-parameters tp2 { notify-filter nf2;parameters {message-processing-model v1;security-model v1;security-level none;security-name john;}}target-parameters tp3 {notify-filter nf3;parameters {message-processing-model v1;security-model v1;security-level none;security-name john;}}usm {local-engine {          # Defines authentication and encryption for SNMP3 users. user user1 { authentication-md5 {authentication-password authentication-password;}privacy-des {privacy-password privacy-password;}}user user2 {authentication-sha {authentication-password authentication-password;}privacy-none;}user user3 {authentication-none;privacy-none;}user user4 {authentication-md5 {authentication-password authentication-password;}privacy-3des {privacy-password password;}}user user5 {authentication-sha {authentication-password authentication-password;}privacy-aes128 {privacy-password password;}}}vacm {access {group san-francisco {            # Defines the access privileges for the groupdefault-context-prefix {        # san-franciscosecurity-model v1 {security-level none {notify-view ping-mib;read-view interfaces;write-view jnxAlarms;}}}}security-to-group {security-model v1 {security-name john {            # Assigns john to the security groupgroup san-francisco;         # san-franciscosecurity-name bob {group new-york;}security-name elizabeth {group chicago;}}}

Configuring the Router ID and AS Number for BGP

[edit]routing-options {router-id 10.1.7.1;autonomous-system 222;}

Configuring Martian Addresses

[edit]routing-options {martians {1.0.0.0/8 exact;10.0.0.0/8 exact;19.255.0.0/16 exact;59.0.0.0/8 exact;129.156.0.0/16 exact;172.16.0.0/12 exact;192.0.2.0/24 exact;192.5.0.0/24 exact;192.9.200.0/24 exact;192.9.99.0/24 exact;192.168.0.0/16 exact;224.0.0.0/3 exact;}}

Configuring Routing Protocols

protocols {}

BGP

bgp {group ibgp {type internal;traceoptions {file bgp-trace size 1m files 10;flag state;flag general;}local-address 10.10.5.1;log-updown;neighbor 10.2.1.1;authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";}group ebgp {type external;traceoptions {file ebgp-trace size 10m files 10;flag state;flag general;}local-address 10.10.5.1;log-updown;peer-as 2;neighbor 10.2.1.2;authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii";}}

Configuring IS-IS

isis {authentication-key "$9$aH1j8gqQ1gjyjgjhgjgiiiii"; # SECRET-DATAauthentication-type md5;traceoptions {file isis-trace size 10m files 10;flag normal;flag error;}interface at-0/0/0.131 {lsp-interval 50;level 2 disable;level 1 {metric 3;hello-interval 5;hold-time 60;}}interface lo0.0 {passive;}}

Configuring Firewall Policies

policy-options {prefix-list ssh-addresses {1.1.9.0/24}prefix-list bgp-addresses {10.2.1.0/24;}prefix-list ntp-addresses {10.1.4.0/24}prefix-list snmp-addresses {10.1.6.0/24;}prefix-list dns-addresses {10.1.1.0/24;}prefix-list radius-addresses {10.1.2.0/24;}}

Configuring Firewall Filters

firewall {filter protect-routing-engine {term icmp {from {protocol icmp;icmp-type [ echo-request echo-reply unreachable time-exceeded ];}then {policer small-bandwidth-policer;accept;}}term tcp-connection {from {source-prefix-list {ssh-addresses;bgp-addresses;}protocol tcp;tcp-flags "(syn & !ack) | fin | rst";}then {policer tcp-policer;accept;}}term ssh {from {source-prefix-list {ssh-addresses;}protocol tcp;port [ ssh telnet ];}policer ssh-policer;then accept;}term bgp {from {source-prefix-list {bgp-addresses;}protocol tcp;port bgp;}then accept;}}term snmp {from {source-prefix-list {snmp-addresses;}protocol udp;port snmp;}then {policer snmp-policer;accept;}}term ntp {from {source-prefix-list {ntp-addresses;}protocol udp;port ntp;}then {policer ntp-policer;accept;}}term dns {from {source-address {dns-addresses;}protocol udp;port domain;}then {policer dns-policer;accept;}}term radius {from {source-prefix-list {radius-addresses;}protocol udp;port radius;}then {policer radius-policer;accept;}}term trace-route {from {protocol udp;destination-port 33434-33523;}then {policer small-bandwidth-policer;accept;}}term everything-else {then {syslog;log;discard;}}}policer ssh-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer small-bandwidth-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer snmp-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer ntp-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer dns-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer radius-policer {if-exceeding {bandwidth-limit 1m;burst-size-limit 15k;}then discard;}policer tcp-policer {if-exceeding {bandwidth-limit 500k;burst-size-limit 15k;}then discard;}}

Published: 2010-04-26

[an error occurred while processing this directive]