Q

Lessons learned from Juniper vulnerability in Junos OS

Expert Brad Casey says the recent Junos OS flaws demonstrates why enterprises must diligently update networking router software to stay secure.

Earlier this year there was a Juniper vulnerability affecting the networking vendor's router software. In cases

like this, when a flaw is found in network hardware, what mitigations can be put in place to defend against it?

Ask the Expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

To be precise, the flaw was not found in the network hardware. According to several reports, and confirmed by Juniper itself, the flaw was found in the vendor's Junos operating system (OS) in versions released prior to Jan. 17, 2013. In this case, Juniper released sound advice for addressing the flaw: Update to its new OS, utilize unicast-reverse-packet forwarding and use firewall filters and ACLs.

You should update to Juniper's new OS because, quite simply, the newest version of Junos contains several security fixes, including for the vulnerability in question. The utilization of unicast-reverse-packet forwarding is also a good idea because it allows the destination router to examine the source address, determine its reachability and discard any packets that contain a nonreachable source address. The utilization of firewall filters and ACLs is a basic practice that should be implemented regardless of the vulnerabilities found in a given network device.

But to your larger question as to what to do when a flaw is discovered in enterprise networking software or firmware, my first suggestion is to immediately ensure that your software is completely up to date. If not, do so right away because networking vendors like Juniper and Cisco Systems often confirm a flaw and simultaneously release a fix for it via an OS update. Secondly, if it is determined that the flaw is inherent to the overall family of software, then it is vital that the affected network device be placed behind a firewall until a mitigation can be formulated. If this isn't feasible, then you may want to consider replacing the device altogether.

This was first published in August 2013

Dig deeper on Network Protocols and Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close