The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.

From Juniper Router RTR Security Technical Implementation Guide

Part of SRG-NET-000019-RTR-000001

Associated with: CCI-001414

JUNI-RT-000230_rule The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.

Vulnerability discussion

The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.

Check content

Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. system { host-name XYZ; … … … ports { auxiliary { disable; type xterm; } } Note: If the auxiliary port has never been configured or has been removed from the configuration, it will not be shown in the configuration. If the auxiliary port is not disabled or is not connected to a secured modem when it is enabled, this is a finding.

Fix text

Disable the auxiliary port. [edit system ports] set auxiliary disable Note: If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer