An error occurred:

Check: JUEX-NM-000080

Juniper EX Series Switches Network Device Management STIG: JUEX-NM-000080 (in versions v1 r5 through v1 r1)

Title

The Juniper EX switch must be configured to enforce the limit of three consecutive invalid logon attempts for any given user, after which time it must block any login attempt for that user for 15 minutes. (Cat II impact)

Discussion

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Introducing a lockout period significantly increases the time required for each brute-force attack and increases the likelihood that security personnel will identify (and can respond to) an ongoing attack and/or that the authorized owner will recognize and report the unauthorized activity.

Check Content

Juniper switches maintain the number of failed login attempts per user until the session is restarted or, if lockout-period is configured, until the next successful login. If the permissible number of failed login attempts is reached, the switch prevents logging in for the duration of the lockout-period (1..43200 minutes) regardless whether the account is locally or externally authenticated and across all management access methods (e.g., local console and SSH). Review the device configuration to verify that it enforces the limit of three consecutive invalid logon attempts before introducing a 15 minute lockout period. [edit system login] retry-options { tries-before-disconnect 3; lockout-period 15; } If the device is not configured to enforce the limit of three consecutive invalid logon attempts before introducing a 15-minute block on subsequent login attempts, this is a finding.

Fix Text

Configure the network device to enforce the limit of three consecutive invalid logon attempts and to block subsequent login attempts for 15 minutes. set system login retry-options tries-before-disconnect 3 set system login retry-options lockout-period 15

Additional Identifiers

Rule ID: SV-253885r879546_rule

Vulnerability ID: V-253885

Group Title: SRG-APP-000065-NDM-000214

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000044

The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-7

Unsuccessful Logon Attempts