Best Security Practices for Juniper (Junos OS ) on Management Plane

It is recommended to implement the separation of management and data/customer traffic in your Juniper devices (e.g. QFX Series Switches, MX Series).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA.

Here’s the recommended configuration or practices for these management services.

  1. Configure Authentication, Authorization and Accounting (AAA)
    -preferably to setup centralized TACACS+ to manage all your devices, implement central network management that can impose security protocol to audit and control configuration. It can setup individual or group profiles with respective access rights like read-only or allow specific commands only.
    -recommended to integrate the TACACS+ server to Lightweight Directory Access Protocol (LDAP) or Active Directory so can easily track changes, setup password complexity requirements and can have certain password expiry.Sample Configuration: (Assuming tacacs server host is 192.168.10.10, tacacs key will be auto encyrpted, and management IP is 192.168.1.88)user1@JUNOS1-re0> configure
    Entering configuration mode
    {master}[edit]
    user1@JUNOS1–re0#

set system tacplus-server 192.168.10.10 secret “$9$5LQNi.5FqPTAoDjbZLxN-YGif5FxW”
set system tacplus-server 192.168.10.10 timeout 30
set system tacplus-server 192.168.10.10 single-connection
set system tacplus-server 192.168.10.10 source-address 192.168.1.88
set system accounting destination tacplus server 192.168.10.10 secret “$9$Xxb2Zi.mT8XUHm-49GTG2aZQiqP8d”
set system accounting destination tacplus server 192.168.10.10 single-connection
set system accounting destination tacplus server 192.168.10.10 source-address 192.168.1.88

Related link –> Tacacs (Authentication and Accounting) Configuration in Juniper

2. Use Secure Shell (SSH) for Remote Access
– to provide secure remote connection to a device as the traffic is encrypted.

  • Disable Telnet services

deactivate system services telnet

  • Enable and run only the latest SSH Version 2 (SSHv2)

set system services ssh protocol-version v2
set system services ssh connection-limit 10
set system services ssh rate-limit 10

  • Configure Access Lists (ACL) to secure management sessions
    Assuming your jump host IPs are:
    192.168.30.11
    192.168.40.11Step1. Create your ACL to allow only authorized IPs and deny all

set policy-options prefix-list SSH-JUMPHOSTS 192.168.30.11/32
set policy-options prefix-list SSH-JUMPHOSTS 192.168.40.11/32

set firewall family inet filter FIREWALL term REMOTE-ACCESS from source-prefix-list SSH-JUMPHOSTS
set firewall family inet filter FIREWALL term REMOTE-ACCESS from protocol tcp
set firewall family inet filter FIREWALL term REMOTE-ACCESS from port ssh
set firewall family inet filter FIREWALL term REMOTE-ACCESS then count REMOTE-ACCESS
set firewall family inet filter FIREWALL term REMOTE-ACCESS then accept

set firewall family inet filter FIREWALL term REMOTE-ACCESS from port ssh
set firewall policer ssh-policer if-exceeding bandwidth-limit 1m
set firewall policer ssh-policer if-exceeding burst-size-limit 15k
set firewall policer ssh-policer then discard

Step2.  Apply the ACL in management interface (also if there’s loopback)

set interfaces lo0 unit 0 family inet filter input  FIREWALL
set groups re0 interfaces em0 unit 0 family inet filter input FIREWALL
set groups re1 interfaces em0 unit 0 family inet filter input FIREWALL

Related link –>  SSH Configuration Examples in Juniper(JunOS)

3. Configure Idle Timeout for SSH and console sessions
-this is to prevent unauthorized users from accessing your unattended login sessions. Recommended not more than 10 minutes.

This is to configure the timeout for an inactive session in 10 minutes for local login , and 30 secs for tacacs.

set system login class superclass_user idle-timeout 10
set system tacplus-server 192.168.10.10 timeout 30

 

Related link –> Best Security Practices for SSH (Secure Shell) Remote Access in Juniper

4. Configure stricter password policies
If tacacs not reachable, it will look for the local account. It is advisable to implement stricter password requirements and complexity such as:

  • at least 8 characters
  • should contain both uppercase and lowercase characters
  • should contain numbers
  • does not contain any dictionary words

In Juniper you have few options to create complex passwords

set system login password format ?

Possible completions:
change-type Password change type
format Encryption method to use for password
maximum-length Maximum password length for all users (20..128)
maximum-lifetime Maximum password lifetime in days (30..365)
minimum-changes Minimum number of changes in password
minimum-character-changes Minimum number of character changes between old and new passwords (4..15)
minimum-length Minimum password length for all users (6..20)
minimum-lifetime Minimum password lifetime in days (1..30)
minimum-lower-cases Minimum number of lower-case class characters in password (1..128)
minimum-numerics Minimum number of numeric class characters in password (1..128)
minimum-punctuations Minimum number of punctuation class characters in password (1..128)
minimum-reuse Minimum number of old passwords which should not be same as the new password (1..20)
minimum-upper-cases Minimum number of upper-case class characters in password (1..128)

More info from Juniper official doc –>  How to configure password complexity in Juniper

5. Configure SNMP
SNMP or Simple Network Mangement Protocol is  an application–layer protocol  for exchanging management information between network devices via SNMP managers and agents.
It is advisable to run version 3 as it provides better security because of authentication and encryption between this communication.

Here’s sample recommended configuration for SNMPv3
192.168.11.0/25 & 192.168.12.0/25 SNMP Pollers
192.168.11.99 -SNMP trap server

Configure the SNMP general config (make sure it is via the routing-instance for management)

set snmp name SNMPNAME
set snmp description “SNMP DESCRIPTION HERE”
set snmp location DATACENTER
set snmp community snmp routing-instance mgmt_junos

 

Create the firewall first to allow only authorized SNMP requests

set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-HOSTS
set firewall family inet filter FIREWALL term SNMP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term SNMP-ALLOW from destination-port snmp
set firewall family inet filter FIREWALL term SNMP-ALLOW then count SNMP-ALLOW

set policy-options prefix-list SNMP-HOSTS apply-path “snmp trap-group <*> targets <*>”
set firewall family inet filter FIREWALL term SNMP-ALLOW from source-prefix-list SNMP-HOSTS

set policy-options prefix-list SNMP-HOSTS 192.168.11.0/25
set policy-options prefix-list SNMP-HOSTS 192.168.12.0/25

Sample config: (auth and priv password will be automatically encrypted)

set groups SNMPv3-GROUP snmp location DATACENTER
set groups SNMPv3-GROUP snmp stats-cache-lifetime 30
set groups SNMPv3-GROUP snmp filter-duplicates
set groups SNMPv3-GROUP snmp v3 usm local-engine user SNMPUSER authentication-md5 authentication-key “$9$9JZji0B1xXN-wY2ahYNvIrtpBIRUikP8XESv8MWgaUN5TylKMoG/CREU.”
set groups SNMPv3-GROUP snmp v3 usm local-engine user SNMPUSER privacy-aes128 privacy-key “$9$Q/Ctimf9ApIRSCAX7IhSB1EyrK8L-VwsaZUDG-b2gZUjqpuO1Rcev8X7-bs5z3/96s2TzFnCtu1k.P”
set groups SNMPv3-GROUP snmp v3 vacm security-to-group security-model usm security-name SNMPUSER group SNMPUSER_GROUP
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPUSER_GROUP default-context-prefix security-model any security-level privacy read-view ALL_VIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPUSER_GROUP default-context-prefix security-model any security-level privacy write-view ALL_VIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPUSER_GROUP default-context-prefix security-model any security-level privacy notify-view ALL_VIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPUSER_GROUP context-prefix mgmt_junos security-model any security-level privacy read-view ALL_VIEW
set groups SNMPv3-GROUP snmp v3 vacm access group SNMPUSER_GROUP context-prefix mgmt_junos security-model any security-level privacy notify-view ALL_VIEW

set groups SNMPv3-GROUP snmp engine-id local SNMPUSER
set groups SNMPv3-GROUP snmp view ALL_VIEW oid .1.3.6.1 include
set groups SNMPv3-GROUP routing-instances mgmt_junos description SNMPv3 Config
set apply-groups SNMPv3-GROUP

-Some Network Management, Configuration Management and Inventory Management system still not full ready to use SNMPv3, thus only options is to configure SNMPv2c with a stricter policies such as:
a. complex community string
b. configure Access-list

SNMPv2c

Sample config: (for v2, it will show clear text password), that’s why not advisable to run v2

set snmp community 5NMPC0mmunityv2c clients 192.168.11.0/25
set snmp community 5NMPC0mmunityv2c clients 192.168.12.0/25

TRAPS

SNMPv3:

set groups SNMPv3-GROUP snmp v3 target-address SNMPUSER_GROUP address 192.168.11.99
set groups SNMPv3-GROUP snmp v3 target-address SNMPUSER_GROUP tag-list SNMPUSER_GROUP-TAG
set groups SNMPv3-GROUP snmp v3 target-address SNMPUSER_GROUP address-mask 255.255.255.255
set groups SNMPv3-GROUP snmp v3 target-address SNMPUSER_GROUP routing-instance mgmt_junos
set groups SNMPv3-GROUP snmp v3 target-address SNMPUSER_GROUP target-parameters SNMPUSER_GROUP-parameters
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPUSER_GROUP-parameters parameters message-processing-model v3
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPUSER_GROUP-parameters parameters security-model usm
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPUSER_GROUP-parameters parameters security-level privacy
set groups SNMPv3-GROUP snmp v3 target-parameters SNMPUSER_GROUP-parameters parameters security-name SNMPUSER
set groups SNMPv3-GROUP snmp v3 notify SNMPUSER_GROUP type trap
set groups SNMPv3-GROUP snmp v3 notify SNMPUSER_GROUP tag SNMPUSER_GROUP-TAG

 

SNMPv2c:

set snmp trap-options source-address 192.168.1.88
set snmp trap-options agent-address outgoing-interface
set snmp trap-group TRAPGROUP version v2
set snmp trap-group TRAPGROUP destination-port 162
set snmp trap-group TRAPGROUP categories authentication
set snmp trap-group TRAPGROUP categories chassis
set snmp trap-group TRAPGROUP categories link
set snmp trap-group TRAPGROUP categories remote-operations
set snmp trap-group TRAPGROUP categories routing
set snmp trap-group TRAPGROUP categories startup
set snmp trap-group TRAPGROUP categories rmon-alarm
set snmp trap-group TRAPGROUP categories configuration
set snmp trap-group TRAPGROUP targets 192.168.11.99
set snmp trap-group TRAPGROUP routing-instance mgmt_junos

Related link –> SNMPv2c and SNMPv3 Polling and Traps Configuration in Juniper

6. Configure Syslog Logging

Recommended configuration: (Assuming syslog server IP is 192.168.15.254)

Sample:

set system syslog host other-routing-engine any error
set system syslog host other-routing-engine log-prefix other-RE
set system syslog host 192.168.15.254 any notice
set system syslog host 192.168.15.254 authorization any
set system syslog host 192.168.15.254 daemon any
set system syslog host 192.168.15.254 kernel any
set system syslog host 192.168.15.254 interactive-commands any
set system syslog host 192.168.15.254 facility-override local6
set system syslog host 192.168.15.254 explicit-priority

Set the source-address and routing-instance

set system syslog source-address 192.168.1.88
set system syslog routing-instance mgmt_junos

 

7. Configure NTP
-Network Time Protocol is networking protocol for clock synchronization. It is highly recommended to configure device date/time in a centralized NTP server within your network ( that includes your NMS pointing to the same NTP)  as it will be helpful to see the accurate view if there’s any outage, technical or security incident,  and in co-relating events.
Note: It is recommended to configure NTP with authentication. But it depends if your NTP server supports it.

Sample configuration: (Assuming 192.168.30.30 and 192.168.40.40 are NTP servers, and vrf is configured).

  • Set the firewall to allow only authorized NTP

set policy-options prefix-list NTP-SERVERS 10.200.75.202/32
set policy-options prefix-list NTP-SERVERS 10.251.2.155/32

set policy-options prefix-list NTP-SERVERS apply-path “interfaces em0 unit 0 family inet address <*>”
set firewall family inet filter FIREWALL term NTP-ALLOW from source-prefix-list NTP-SERVERS
set firewall family inet filter FIREWALL term NTP-ALLOW from protocol udp
set firewall family inet filter FIREWALL term NTP-ALLOW from port ntp
set firewall family inet filter FIREWALL term NTP-ALLOW then policer RE-POLICER-256K
set firewall family inet filter FIREWALL term NTP-ALLOW then count NTP-ALLOW
set firewall family inet filter FIREWALL term NTP-ALLOW then accept
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard

  • Configure the NTP servver

set system ntp server 192.168.30.30 routing-instance mgmt_junos
set system ntp server 192.168.40.40 routing-instance mgmt_junos

  • Set the source-address and routing-instance

set system ntp source-address 192.168.1.88 routing-instance mgmt_junos

 

Verify:

user1@JUNOS1-re0> show ntp associations
remote refid st t when poll reach delay offset jitter
===============================================================================
+192.168.30.30 .GPS. 1 – 535 1024 377 2.020 -0.067 0.080
*192.168.40.40 .GPS. 1 – 477 1024 377 1.945 0.117 0.109

Configuring NTP Authentication:

Syntax:

set system ntp trusted-key <value>
set system ntp authentication-key <key_number>
set system ntp authentication-key <key_number> type <md5/sha1/sha256> value <value2>

where:
<value> List of trusted authentication keys (1..65534)
<key_number> Authentication key number (1..65534)
<value2> Authentication key value

 

Optional: Configure Timezone
Sample config:

set system time-zone US/Pacific

Related link –> NTP Configuration via Management Routing Instance in Juniper

8. Configure MOTD or Banners
-MOTD or Message of the Day will display before login, this is advisable to configure to notify unauthorized users for possible penalties upon accessing the device.

Sample config:

set system login message “\n*************************************************************************\nSAMPLE MESSAGE HERE\n\nADDITIONAL MESSAGES HERE.\n\n*************************************************************************\n\n”

Related link:
Configuring Banner or Login Message in Juniper

Be First to Comment

Leave a Reply