Junos Default Security Settings - dummies

Junos Default Security Settings

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

Junos OS has a number of default behaviors that contribute to router security, behaviors that immediately take effect once you perform the initial router configuration.

  • Router access: By default, the only way to access the router is by physically connecting to the router’s console port. To configure the router initially, you must connect a laptop or other terminal directly to the console port. All other remote management access and management access protocols, such as Telnet, FTP, and SSH, are disabled. (On J-series routers, the web interface is enabled to aid in initial system configuration.)

    Once the initial configuration is complete, you need to enable a way to remotely log in to the router so you don’t have to be there physically to connect to the router’s console port. SSH provides the best security, and you configure it as follows:

    fred@router# set system services ssh
  • Configuring the router with SNMP set commands: Junos OS does not support the SNMP set capability for editing configuration data, which allows an NMS to modify the configurations on managed network devices. Junos OS does, by default, allow SNMP to query the status of the router, although no known security risks are associated with this.

  • Directed broadcast messages: Junos OS doesn’t forward these messages, which are datagrams with a destination address of an IP subnetwork broadcast address. Directed broadcasts are easy to spoof, which is a method used in DoS attacks.

  • Martian addresses: Junos OS ignores routes for several reserved addresses (but not including the private addresses defined in RFC 1918). Martian addresses should never be seen on the Internet, but routes for these addresses are sometimes advertised by misconfigured routers. You can modify the list of Martian addresses, if you so desire.

    Martian addresses are host or network addresses about which all routing information is ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

  • Password encryption: When configuring the router, you need to enter passwords for various features. All these passwords are secured — either by encryption (a one-to-one mapping, which is possible to decrypt), or by hashing (a many-to-many mapping, which is impossible to unhash), or by algorithms — to keep them from being discovered.

    Even in cases where the Junos OS prompts you for a plain-text password, the software encrypts it immediately after you type it. When you display the password in the configuration file, you see only the encrypted version, marked as SECRET-DATA. For example, if you configure a plain-text password for a user login account, Junos encrypts it right away using SHA1.

  • Partial enforcement of strong passwords: Junos OS enforces the use of strong passwords to a certain extent, requiring that all passwords you configure be at least six characters long, have a change of case, and contain either digits or punctuation. The software rejects passwords that don’t meet these criteria.

    You can enhance the enforcement of strong passwords by configuring a longer minimum password length and by increasing the minimum number of case, digit, and punctuation changes:

    [edit system]
    fred@router# set login password minimum-length number
    [edit system]
    fred@router# set login password minimum-changes number

During the initial configuration of a new router, you set the root password as a plain-text password. Because the root user is able to perform any and all operations on the router, tightening access to the root login account is a good idea. One way to do so is to configure the root password using SSH key authentication.