STIGQter STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Juniper Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The network device must require authentication prior to establishing a management connection for administrative access.

DISA Rule

SV-28748r3_rule

Vulnerability Number

V-3175

Group Title

Management connections must require passwords.

Rule Version

NET1636

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure authentication for all management connections.

Check Contents

Review the network device configuration to verify all management connections for administrative access require authentication.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;

Vulnerability Number

V-3175

Documentable

False

Rule Version

NET1636

Severity Override Guidance

Review the network device configuration to verify all management connections for administrative access require authentication.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

510

Comments