The network device must require authentication prior to establishing a management connection for administrative access.

From Infrastructure Router Security Technical Implementation Guide Juniper

Part of Management connections must require passwords.

Associated with IA controls: ECSC-1

SV-28748r3_rule The network device must require authentication prior to establishing a management connection for administrative access.

Vulnerability discussion

Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

Check content

Review the network device configuration to verify all management connections for administrative access require authentication. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;

Fix text

Configure authentication for all management connections.

Pro Tips

Powered by sagemincer