Check: JUEX-NM-000640
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000640
(in versions v2 r2 through v1 r1)
Title
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access. (Cat I impact)
Discussion
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
Check Content
Review the network device configuration to verify the device is configured to use an authentication server as the primary source for authentication. Verify the RADIUS and/or TACACS+ server addresses. [edit system] radius-server { <RADIUS-1 address> secret "hashed PSK"; ## SECRET-DATA <RADIUS-2 address> secret "hashed PSK"; ## SECRET-DATA } tacplus-server { <TACPLUS-1 address> secret "hashed PSK"; ## SECRET-DATA <TACPLUS-2 address> secret "hashed PSK"; ## SECRET-DATA } Verify the authentication order places the external authentication server first. [edit system] authentication-order [ radius tacplus password ]; Note: Only the global authentication order is required; all administrative access methods will honor the global setting unless configured separately. If the network device is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.
Fix Text
Configure the network device to use an authentication server. set system radius-server <RADIUS-1 address> secret "<PSK>" set system tacplus-server <TACPLUS-1 address> secret "<PSK>" Configure the authentication order to use the authentication server as primary source for authentication. set system authentication-order radius set system authentication-order tacplus set system authentication-order password
Additional Identifiers
Rule ID: SV-253941r1001014_rule
Vulnerability ID: V-253941
Group Title: SRG-APP-000516-NDM-000336
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
Implement the security configuration settings. |
| CCI-000370 |
Manage configuration settings for organization-defined system components using organization-defined automated mechanisms. |
| CCI-003627 |
Disable accounts when the accounts have expired. |
| CCI-003628 |
Disable accounts when the accounts are no longer associated to a user. |
| CCI-003831 |
Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| CCI-004047 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements. |
| CCI-004058 |
For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
| CCI-004059 |
For password-based authentication, update the list of passwords on an organization-defined frequency. |
| CCI-004060 |
For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
| CCI-004061 |
For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| CCI-004063 |
For password-based authentication, require immediate selection of a new password upon account recovery. |
| CCI-004064 |
For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
| CCI-004065 |
For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
| CCI-004068 |
For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |