An error occurred:

Check: JUEX-RT-000110

Juniper EX Series Switches Router STIG: JUEX-RT-000110 (in versions v1 r3 through v1 r1)

Title

The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication. (Cat III impact)

Discussion

The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network. Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using an authorized MFA token and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.

Check Content

Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. The Junos auxiliary port is disabled by default. Verify the auxiliary port is not configured (there will be no [edit system ports auxiliary] stanza) or that the auxiliary port is explicitly disabled. [edit system ports] auxiliary { disable; } If the auxiliary port is not disabled or is not connected to a secured modem when it is enabled, this is a finding.

Fix Text

Disable the auxiliary port. set system ports auxiliary disable -or- delete system ports auxiliary If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.

Additional Identifiers

Rule ID: SV-253983r843982_rule

Vulnerability ID: V-253983

Group Title: SRG-NET-000019-RTR-000001

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement