The Juniper EX switch must be configured to enforce the limit of three consecutive invalid logon attempts for any given user, after which time it must block any login attempt for that user for 15 minutes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253885	JUEX-NM-000080	SV-253885r879546_rule		Medium

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Introducing a lockout period significantly increases the time required for each brute-force attack and increases the likelihood that security personnel will identify (and can respond to) an ongoing attack and/or that the authorized owner will recognize and report the unauthorized activity.

Description

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Introducing a lockout period significantly increases the time required for each brute-force attack and increases the likelihood that security personnel will identify (and can respond to) an ongoing attack and/or that the authorized owner will recognize and report the unauthorized activity.

STIG	Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57337r844934_chk )
Juniper switches maintain the number of failed login attempts per user until the session is restarted or, if lockout-period is configured, until the next successful login. If the permissible number of failed login attempts is reached, the switch prevents logging in for the duration of the lockout-period (1..43200 minutes) regardless whether the account is locally or externally authenticated and across all management access methods (e.g., local console and SSH). Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts before introducing a 15 minute lockout period. [edit system login] retry-options { tries-before-disconnect 3; lockout-period 15; } If the device is not configured to enforce the limit of three consecutive invalid logon attempts before introducing a 15-minute block on subsequent login attempts, this is a finding.

Check Text ( C-57337r844934_chk )

Juniper switches maintain the number of failed login attempts per user until the session is restarted or, if lockout-period is configured, until the next successful login. If the permissible number of failed login attempts is reached, the switch prevents logging in for the duration of the lockout-period (1..43200 minutes) regardless whether the account is locally or externally authenticated and across all management access methods (e.g., local console and SSH).

Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts before introducing a 15 minute lockout period.

[edit system login]
retry-options {
tries-before-disconnect 3;
lockout-period 15;
}

If the device is not configured to enforce the limit of three consecutive invalid logon attempts before introducing a 15-minute block on subsequent login attempts, this is a finding.

Fix Text (F-57288r843687_fix)
Configure the network device to enforce the limit of three consecutive invalid logon attempts and to block subsequent login attempts for 15 minutes. set system login retry-options tries-before-disconnect 3 set system login retry-options lockout-period 15