Junos : HARDENING JUNOS DEVICES CHECKLIST

Administrative

Research the latest Juniper Security Advisories

Install the latest supported/recommended version of Junos

Always verify cryptographic checksums prior to installation

Physical Security

If you’re redeploying a previously installed device, perform a media installation to ensure all previous configurations and data is removed

Console Port

… Configure the logout-on-disconnect feature

… Configure the insecure feature

Auxiliary Port

… Disable the Auxiliary port if you don’t have a valid use

… Configure the insecure feature

Diagnostic Ports

… set a strong password for Diagnostic ports

Craft Interface/LCD Menu

… Disable unnecessary functions for your environment

Disable unused network ports

Network Security

Use the Out-of-Band (OOB) interface for all management related traffic

Enable the default-address-selection option or, set the source address for all routing engine generated traffic (NTP, SNMP, Syslog, etc.)

Globally disable ICMP redirects

Ensure Source Routing has not been configured

Ensure IP directed broadcast has not been configured

Ensure Proxy ARP is either not configured, or is restricted to specific interfaces

Configure the routing engine (RE) to drop TCP packets with the SYN & FIN flag combination

Configure the RE to hide lo0 IP address for ICMP timestamp & record route requests

Configure LLDP only on required network ports

Management Services Security

Configure NTP with authentication with more than one trusted server

Configure SNMP using the most secure method with more than one trusted server

… Community strings and USM passwords should be difficult to guess and should follow a password complexity policy

… be sure to configure read-only access; use read-write only when absolutely required

… Allow queries and/or send traps to more than one trusted server

Send Syslog messages to more than one trusted server with enhanced timestamps

Configure automated secure configuration backups to more than one trusted server

Access Security

Configure a warning banner that is displayed prior to credentials being provided

Disable insecure or unnecessary access services (telnet, J-Web over HTTP, FTP, etc.)

Enable required secure access services:

… SSH

Use SSH version 2

Deny Root logins

                                                                                                                                                                                                             Set connection-limit and rate-limit restrictions suitable for your environment

… J-Web

Use HTTPS with a valid certificate signed by a trusted CA

Restrict access only from authorized particular interfaces

Terminate idle connections by setting the idle-time value

Set session-limit restrictions suitable for your environment

User Authentication Security

Configure a password complexity policy

… Minimum password length, character-sets, and minimum changes

… Use SHA1 for password storage

Ensure the root account has been configured with a strong password that meets your organization’s password complexity policy

Configure login security options to hinder password guessing attacks

Configure custom login classes to support engineers with different access levels using the least privilege principle

… Restrict commands by job function

… Set reasonable idle timeout values for all login classes

Centralized authentication

… Use a strong shared secret that complies with your organization’s password complexity policy

… Configure multiple servers for resiliency

… Configure accounting to trace activity and usage

… Create an emergency local account in the event authentication servers are unavailable

Local Authentication

… Use a strong password that complies with you organization’s password complexity policy

… Limit Local accounts to required users

… Know the origin and purpose for all configured local accounts

Set the authentication-order appropriately to meet your login security policy

Routing Protocol Security

Be sure routing protocols only on required interfaces

BGP communication should source from a loopback interface

Configure route authentication with internal and external trusted sources

… Select the strongest algorithm that is supported by your equipment and your neighbors

… Use strong authentication keys that meet your organization’s password complexity policy

… Limit key exposure by using separate authentication keys for different organizations

Periodically change route authentication keys in accordance with your organization’s security policy (consider using hitless key rollover if the routing protocol supports it)

Firewall Filter

Protect the Routing Engine using a firewall filter with a default deny policy

… Ensure to permit only required ICMP types and deny all other ICMP types and codes

… ensure the last term, default-deny, includes the syslog option so all denied traffic can be centrally monitored

Rate-limit common protocols used in flooding attacks

Rate-limit authorized protocols using polices (within reasonable limits)