Junos : New Software Release Model for Security Products : Initial release-12.1X44

Products Affected	SRX100/110/210/220/240/550/650 SRX1400/3400/3600/5600/5800 JunosV Firefly (limited availability) J2320/2350/4350/6350 LN1000
Platforms Affected	SRX-series JunosV Firefly J-series
Revision Number	1
Issue Date	2013-01-18

PSN Issue : Introducing new software release model for security products (Initial release-12.1X44). Security is a an ever-changing landscape, and requires rapid introduction of security technologies to meet customer needs, while ensuring stability and quality of the services running on top of Junos.

Solution: Juniper is adopting a software release model that allows for the rapid introduction of new security capabilities across its product lines. At the same time, the security services will leverage the architectural underpinnings of Junos OS including the CLI, scripting, and core capabilities. This release model ensures that new security services are introduced rapidly, while quality and stability on Junos OS is maintained.

Solution Implementation: Through a software release model for security products, Juniper is releasing critical security features to market. The attached document explains the solution implementation in detail.

Junos : Login Classes

Predefined Login Classes

Login Class	Permission Bits Set
operator	clear, network, reset, trace, view
read-only	view
super-user and superuser	all
unauthorized	None

Junos: Enforcement of web-authentication policy stops after deleting client-match statement

Products Affected	This issue can affect all SRX Series service gateways with web-authentication policies configured.
Platforms Affected	JUNOS 12.x Security JUNOS 11.x JUNOS 10.x SIRT Security Advisory

PSN Issue :
When modifying a web-authentication policy containing a client-match statement, removing the client-match statement causes the web-authentication policy to no longer be enforced. While the control plane configuration will still display as if web-authentication is required (the web-authentication login page still responds and the policies display still reflect the configuration), the actual effective policy that is pushed into the forwarding plane functions like a normal policy without web-authentication. This can cause open access to resources that are assumed to be protected by web-authentication.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

Solution:
All Junos OS software releases built on or after 2012-07-12 have fixed this specific issue. Releases containing the fix specifically include: 10.0S27, 10.4S9, 10.4R10, 11.4R1, 12.1R1, and all subsequent releases (i.e. all releases built after 12.1R1).

Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

This issue is being tracked as PR 749129 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workarounds
Deactivate and re-activate the affected security policy. This will assign a new policy index number and add the correct fw-auth flags in the PFE.

Junos : Configuring Basic Settings for a Junos Space

You must configure basic network and machine information to make your appliance accessible to the network.

To configure the startup settings of the Junos Spec , follow these steps:

1. At the serial console login prompt, type the default user name and press Enter. The default user name for console access is admin.
2. At the login prompt, type the default password and press Enter. The default password for console access is abc123. Junos Space prompts you to change your default password.
3. Enter the default password, then enter your new password. All passwords are case sensitive. You see passwd: all authentication tokens updated successfully.
4. Enter a new IP address for interface ETH0 and press Enter.
5. Enter a new subnet mask for interface ETHO and press Enter.
6. Enter the default gateway as a dotted decimal IP address and press Enter.
7. Enter the nameserver address in dotted decimal notation for interface ETH0 and press Enter.
8. Specify whether the Junos Space system will be added to an existing cluster.
• If the appliance will be not be added to an existing node cluster or is the first node in the cluster:
• Enter n when prompted “Will this Junos Space system be added to an existing cluster?”
• Enter the IP address for Web access.

The IP address for Web access must be in the same subnet as the IP address for interface ETH0 but must be a different IP address.

• Enter the display name for this node.

This is the logical node name that Junos Space displays for the first node in a cluster.

• If the JA1500 Appliance will be added to an existing node cluster, enter y when prompted “Will this Junos Space system be added to an existing cluster?”
8. Enter the IP address for the Web GUI and press Enter.
9. Enter the display name for the node and press Enter.
10. Enter the password for the cluster maintenance mode.

This is the password a maintenance mode administrator must specify to access maintenance mode and shutdown all nodes.

12. Reenter the password to confirm it. You see the settings summary:

1> IP Change: eth0 is 1.1.1.1 / 1.1.1.1

2> Default Gateway = 1.1.1.1 on eth0

3> DNS add: 1.1.1.1

4> Create as first node or standalone

5> Web IP address is 1.1.1.1

6> Node display name is "space1"

7> Password for Junos Space maintenance mode is set.

A> Apply settings

C> Change settings

Q> Quit and set up later

R> Redraw menu

Choice [ACQR]:

13. If the settings are correct, type A to apply the setting by typing option and press Enter. You see the following:

Applying Changes...

Re-loading database

5280 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

........................++++++

.....++++++

e is 65537 (0x10001)

grep: /etc/ha.d/haresources: No such file or directory

Stopping High-Availability services:

[  OK  ]

logd is already stopped

heartbeat is stopped. No process

Starting High-Availability services:

2009/11/04_11:34:50 INFO:  Resource is stopped

[  OK  ]

Done!

Adding password for user maintenance

httpd is stopped

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 10.155.65.191 for ServerName

[  OK  ]

Starting MySQL.. SUCCESS!

Welcome to the Junos Space Network Settings Utility.

Initializing, please wait

Junos Space Appliance Settings Menu

1> Change Password

2> Set Routing

3> Set DNS Servers

4> Change Time Options

5> Retrieve Logs

6> Security

7> (Debug) run shell

Q> Quit

R> Redraw Menu

        Choice [1-7,QR]:

14. Type 7 to run the shell. You see the following:

Password:

[root@junos-space-0256122008000008 ~]# ls

anaconda-ks.cfg  install.log  install.log.syslog

[root@junos-space-0256122008000008 ~]# df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/sda1             3.8G  1.3G  2.4G  34% /

/dev/mapper/jmpvgnocf-lvvar

                      1.8T  316M  1.7T   1% /var

tmpfs                 4.0G     0  4.0G   0% /dev/shm

[root@junos-space-0256122008000008 ~]# jmp_setup

Welcome to the Junos Space Network Settings Utility.

Initializing, please wait

Junos Space Appliance Settings Menu

1> Change Password

2> Set Routing

3> Set DNS Servers

4> Change Time Options

5> Retrieve Logs

6> Security

7> (Debug) run shell

Q> Quit

R> Redraw menu

Choice [1-7,QR]:

15. Type Q to quit.

The configuration of the Junos Spac Appliance is now complete.

Junos : SRX Series Services Gateway

The SRX Series Services Gateways are high-performance security, routing and network solutions for enterprise and service providers. SRX Series gateways pack high port-density, advanced security, and flexible connectivity, into a single, easily managed platform that supports fast, secure, and highly-available, data center and branch operations.
SRX Series Service Gateways are based on Junos, Juniper's proven operating system which delivers security and advanced protection services, the foundation of the world's largest networks. Junos also supports rich routing capabilities, and Junos' unique architecture provides reliable service operations and manageability, even under the highest loads.
The cost effectiveness and the versatility of the SRX Series platforms results in some of the best price-performance ratios in the industry. Hardware and OS consolidation, operational flexibility and unmatched performance simplify deployment and operations delivering an attractive low TCO.

SRX Series Services Gateways for the Data Center

These platforms deliver market-leading performance, scalability and service integration in a chassis-based form factor ideally suited for medium to large enterprise and service provider data centers and large campus environments where scalability, high performance and concurrent services, are essential.
Designed from the ground up to provide flexible processing and scalability, the SRX Series can meet the network and security requirements of data center hyper-consolidation, rapid managed services deployments, and aggregated security solutions. The SRX Series Services Gateways provide unrivaled performance and scalability, ensuring uninterrupted expansion and growth of your network infrastructure without sacrificing security.

SRX Series Services Gateways for the Branch

Branch SRX Series Gateways deliver secure and manageable networks of up to thousands of sites. A wide variety of product options efficiently support a range of performance, functionality, security, and budget requirements, connecting and protecting from a handful to thousands of users.
The consolidation of routing, WAN connectivity, switching, and Unified Threat Management (UTM) simplifies deployment and administration while delivering fast and consistent service quality regardless of user location. UTM services include best-in-class antivirus, antispam, URL filtering, firewall/VPN and AppSecure application level security that enable the branch SRX Series to be full-featured solution. The routing services include IPv4 and IPv6 unicast and multicast, extensive NAT, QoS, performance and SLA monitoring, and flow management features.