Earlier this year there was a Juniper vulnerability affecting the networking vendor's router software. In cases like this, when a flaw is found in network hardware, what mitigations can be put in place to defend against it?
Ask the Expert!
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
To be precise, the flaw was not found in the network hardware. According to several reports, and confirmed by Juniper itself, the flaw was found in the vendor's Junos operating system (OS) in versions released prior to Jan. 17, 2013. In this case, Juniper released sound advice for addressing the flaw: Update to its new OS, utilize unicast-reverse-packet forwarding and use firewall filters and ACLs.
You should update to Juniper's new OS because, quite simply, the newest version of Junos contains several security fixes, including for the vulnerability in question. The utilization of unicast-reverse-packet forwarding is also a good idea because it allows the destination router to examine the source address, determine its reachability and discard any packets that contain a nonreachable source address. The utilization of firewall filters and ACLs is a basic practice that should be implemented regardless of the vulnerabilities found in a given network device.
But to your larger question as to what to do when a flaw is discovered in enterprise networking software or firmware, my first suggestion is to immediately ensure that your software is completely up to date. If not, do so right away because networking vendors like Juniper and Cisco Systems often confirm a flaw and simultaneously release a fix for it via an OS update. Secondly, if it is determined that the flaw is inherent to the overall family of software, then it is vital that the affected network device be placed behind a firewall until a mitigation can be formulated. If this isn't feasible, then you may want to consider replacing the device altogether.
This was first published in August 2013