Specifications

ManualsBrandsSentry ManualsMusical equipmentSPD 5.5.5

111

112

113

114

115

116

117

118

119

120

Page 113 /148

filters are useful in protecting the IP services that run on the Routing Engine, such

as Telnet, ssh, and BGP, from denial-of-service attacks.

The Routing Engine Firewall mechanisms formed the basis for hardware-based

packet filtering features for the M20, M40 and M160.

The firewall supports a number of match conditions. Each firewall filter consists

of one or more “terms”. Each term consists of statements that define match

conditions and actions to take if the conditions are matched.

Filtering of packets based on match conditions:

§ IP source address

§ IP destination address

§ TCP or UDP source or destination port field

§ IP protocol field

§ ICMP packet type

§ IP options

§ TCP flags

§ Option for multiple match conditions

§ Option for grouping of match conditions (e.g. numeric range)

§ Filter Actions:

§ Accept Packet

§ Discard Packet

§ Log Packet

§ Optional logical grouping of interfaces to apply firewall to group. (Interface

coloring.)

Firewall filters can be applied to an individual interface, or several interfaces that

have been logically grouped together (i.e. group coloring). Note that currently

filters bound to an interface apply only to traffic on that interface that is sent to or

from the Routing Engine. The filters do not apply to transit traffic.

3.5.4 Protocol Authentication

Some IGPs (IS-IS and OSPF) and RSVP allow you to configure an authentication

method and password. Neighboring routers use the password to verify the

authenticity of packets sent by the protocol from the router or from a router

interface. The following authentication methods are supported:

§ Simple authentication (IS-IS and OSPF)--Uses a simple text password. The

receiving router uses an authentication key (password) to verify the packet.

Because the password is included in the transmitted packet, this method of

authentication is relatively insecure. We recommend that you not use this

authentication method.

§ MD5 and HMAC-MD5 (IS-IS, OSPF, and RSVP) --MD5 creates an encoded

checksum that is included in the transmitted packet. HMAC-MD5, which

combines HMAC authentication with MD5, adds the use of an iterated

cryptographic hash function. With both types of authentication, the receiving

router uses an authentication key (password) to verify the packet. HMAC-

MD5 authentication is defined in RFC 2104, HMAC: Keyed-Hashing for

Message Authentication.

3.5.5 User Authentication

The JUNOS software supports three methods of user authentication: local

password authentication, Remote Authentication Dial-In User Service (RADIUS)

and Terminal Access Controller Access Control System Plus (TACACS+).

Packet Forwarding

Engine

Routing

Engine

Forwarded

Traffic

Destined

for RE

Firewall