UCF STIG Viewer Logo

The network device must require authentication prior to establishing a management connection for administrative access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3175 NET1636 SV-28748r3_rule ECSC-1 High
Description
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-29085r4_chk )
Review the network device configuration to verify all management connections for administrative access require authentication.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;
Fix Text (F-3200r3_fix)
Configure authentication for all management connections.