Administrative
Research the latest Juniper Security
Advisories
Install the latest supported/recommended version of Junos
Always verify cryptographic checksums prior to installation
Physical Security
If you’re
redeploying a previously installed device, perform
a media installation to
ensure all previous
configurations and data is removed
Console Port
Configure the logout-on-disconnect feature
Configure the insecure
feature
Auxiliary Port
Disable the Auxiliary
port if you don’t have a valid use
Configure the insecure
feature
Diagnostic Ports
set a strong password for Diagnostic ports
Craft Interface/LCD
Menu
Disable unnecessary functions for your environment
Disable unused network ports
Network Security
Use the Out-of-Band (OOB) interface for all management related traffic
Enable the default-address-selection option or, set the source address for all routing engine generated
traffic (NTP, SNMP, Syslog,
etc.)
Globally disable ICMP redirects
Ensure Source Routing has not been configured
Ensure IP directed
broadcast has not been configured
Ensure Proxy ARP is either not configured, or is restricted to specific interfaces
Configure the routing engine (RE) to drop TCP packets with the SYN & FIN flag
combination
Configure the RE to hide lo0 IP address for ICMP timestamp & record route
requests
Configure LLDP only on required
network ports
Management Services Security
Configure NTP with authentication with more than one trusted server
Configure SNMP using the most secure method with more than one trusted server
Community strings and USM passwords should be difficult to guess and should follow
a password complexity policy
be sure to configure
read-only access; use read-write only when absolutely required
Allow queries and/or
send traps to more than one trusted server
Send Syslog messages
to more than one trusted server with enhanced timestamps
Configure automated secure configuration backups to more than one trusted server
Access
Security
Configure a warning
banner that is displayed prior to credentials being provided
Disable insecure or unnecessary access services
(telnet, J-Web over HTTP, FTP, etc.)
Enable required secure access services:
SSH
Use SSH version
2
Deny Root logins
Set connection-limit and rate-limit restrictions suitable for your environment
J-Web
Use HTTPS with a valid certificate signed by a trusted CA
Restrict access only from authorized particular interfaces
Terminate idle connections by setting the idle-time
value
Set session-limit restrictions suitable for your environment
User Authentication Security
Configure a password complexity policy
Minimum password
length, character-sets, and minimum
changes
Use SHA1 for password storage
Ensure the root account
has been configured with a strong password that meets your organization’s password complexity policy
Configure login security
options to hinder password guessing attacks
Configure custom
login classes to support engineers with different access levels using the least privilege principle
Restrict commands by job function
Set reasonable
idle
timeout values for all login classes
Centralized authentication
Use a strong shared secret that complies with your organization’s password complexity policy
Configure multiple servers
for resiliency
Configure accounting to trace activity and usage
Create an emergency local account in the event authentication servers are unavailable
Local Authentication
Use a strong password that complies with you organization’s password
complexity policy
Limit
Local accounts to required users
Know the origin and purpose
for all configured local accounts
Set the authentication-order appropriately to meet your login security
policy
Routing Protocol Security
Be sure routing protocols only on required interfaces
BGP communication should source
from a loopback interface
Configure route authentication with internal and external
trusted sources
Select the strongest algorithm that is supported by your equipment
and
your neighbors
Use strong authentication keys that meet your organization’s password
complexity policy
Limit key exposure by using separate
authentication keys for different
organizations
Periodically change
route authentication keys in accordance with your organization’s
security policy (consider
using hitless key rollover if the routing protocol supports it)
Firewall Filter
Protect the Routing Engine using a firewall
filter with a default deny policy
Ensure to permit only required ICMP types and deny all other ICMP types and
codes
ensure the last term, default-deny, includes the syslog option so all denied traffic can be centrally
monitored
Rate-limit
common protocols used in flooding attacks
Rate-limit
authorized protocols using polices (within reasonable limits)
No comments:
Post a Comment