The network device must require authentication prior to establishing a management connection for administrative access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3175	NET1636	SV-28748r3_rule	ECSC-1	High

Description
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

STIG	Date
Infrastructure Router - Juniper Security Technical Implementation Guide	2017-09-28

Details

Check Text ( C-29085r4_chk )
Review the network device configuration to verify all management connections for administrative access require authentication. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes / class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } / local emgergency account / user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } / RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;

Check Text ( C-29085r4_chk )

Review the network device configuration to verify all management connections for administrative access require authentication.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;

Fix Text (F-3200r3_fix)
Configure authentication for all management connections.