Lessons learned from Juniper vulnerability in Junos OS

Earlier this year there was a Juniper vulnerability affecting the networking vendor's router software. In cases like this, when a flaw is found in network hardware, what mitigations can be put in place to defend against it?

    Requires Free Membership to View

Ask the Expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

To be precise, the flaw was not found in the network hardware. According to several reports, and confirmed by Juniper itself, the flaw was found in the vendor's Junos operating system (OS) in versions released prior to Jan. 17, 2013. In this case, Juniper released sound advice for addressing the flaw: Update to its new OS, utilize unicast-reverse-packet forwarding and use firewall filters and ACLs.

You should update to Juniper's new OS because, quite simply, the newest version of Junos contains several security fixes, including for the vulnerability in question. The utilization of unicast-reverse-packet forwarding is also a good idea because it allows the destination router to examine the source address, determine its reachability and discard any packets that contain a nonreachable source address. The utilization of firewall filters and ACLs is a basic practice that should be implemented regardless of the vulnerabilities found in a given network device.

But to your larger question as to what to do when a flaw is discovered in enterprise networking software or firmware, my first suggestion is to immediately ensure that your software is completely up to date. If not, do so right away because networking vendors like Juniper and Cisco Systems often confirm a flaw and simultaneously release a fix for it via an OS update. Secondly, if it is determined that the flaw is inherent to the overall family of software, then it is vital that the affected network device be placed behind a firewall until a mitigation can be formulated. If this isn't feasible, then you may want to consider replacing the device altogether.

This was first published in August 2013

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: