Problem solve Get help with specific problems with your technologies, process and projects.

Lessons learned from Juniper vulnerability in Junos OS

Expert Brad Casey says the recent Junos OS flaws demonstrates why enterprises must diligently update networking router software to stay secure.

Earlier this year there was a Juniper vulnerability affecting the networking vendor's router software. In cases like this, when a flaw is found in network hardware, what mitigations can be put in place to defend against it?

Ask the Expert!

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

To be precise, the flaw was not found in the network hardware. According to several reports, and confirmed by Juniper itself, the flaw was found in the vendor's Junos operating system (OS) in versions released prior to Jan. 17, 2013. In this case, Juniper released sound advice for addressing the flaw: Update to its new OS, utilize unicast-reverse-packet forwarding and use firewall filters and ACLs.

You should update to Juniper's new OS because, quite simply, the newest version of Junos contains several security fixes, including for the vulnerability in question. The utilization of unicast-reverse-packet forwarding is also a good idea because it allows the destination router to examine the source address, determine its reachability and discard any packets that contain a nonreachable source address. The utilization of firewall filters and ACLs is a basic practice that should be implemented regardless of the vulnerabilities found in a given network device.

But to your larger question as to what to do when a flaw is discovered in enterprise networking software or firmware, my first suggestion is to immediately ensure that your software is completely up to date. If not, do so right away because networking vendors like Juniper and Cisco Systems often confirm a flaw and simultaneously release a fix for it via an OS update. Secondly, if it is determined that the flaw is inherent to the overall family of software, then it is vital that the affected network device be placed behind a firewall until a mitigation can be formulated. If this isn't feasible, then you may want to consider replacing the device altogether.

This was last published in August 2013

Dig Deeper on IPv6 security and network protocols security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.