Check: JUEX-NM-000080
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000080
(in versions v2 r2 through v1 r1)
Title
The Juniper EX switch must be configured to enforce the limit of three consecutive invalid logon attempts for any given user, after which time it must block any login attempt for that user for 15 minutes. (Cat II impact)
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Introducing a lockout period significantly increases the time required for each brute-force attack and increases the likelihood that security personnel will identify (and can respond to) an ongoing attack and/or that the authorized owner will recognize and report the unauthorized activity.
Check Content
Juniper switches maintain the number of failed login attempts per user until the session is restarted or, if lockout-period is configured, until the next successful login. If the permissible number of failed login attempts is reached, the switch prevents logging in for the duration of the lockout-period (1..43200 minutes) regardless whether the account is locally or externally authenticated and across all management access methods (e.g., local console and SSH). Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts before introducing a 15 minute lockout period. [edit system login] retry-options { tries-before-disconnect 3; lockout-period 15; } If the device is not configured to enforce the limit of three consecutive invalid logon attempts before introducing a 15-minute block on subsequent login attempts, this is a finding.
Fix Text
Configure the network device to enforce the limit of three consecutive invalid logon attempts and to block subsequent login attempts for 15 minutes. set system login retry-options tries-before-disconnect 3 set system login retry-options lockout-period 15
Additional Identifiers
Rule ID: SV-253885r960840_rule
Vulnerability ID: V-253885
Group Title: SRG-APP-000065-NDM-000214
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |