An error occurred:

Check: JUEX-RT-000580

Juniper EX Series Switches Router STIG: JUEX-RT-000580 (in versions v1 r3 through v1 r1)

Title

The Juniper router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network. (Cat II impact)

Discussion

Network devices configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loading an image or configuration file from the network is taking a security risk because the file could be intercepted by an attacker who could corrupt the file, resulting in a denial of service.

Check Content

Review the device configuration to determine if a configuration auto-loading or zero-touch deployment feature is enabled. Verify the Juniper router is not configured with the factory default configuration. The Zero Touch Provisioning (ZTP) feature requires the factory default configuration. Juniper ZTP leverages Dynamic Host Configuration Protocol (DHCP) options to provide not only the interface address, but also the location of the upgrade image and configuration file. Interfaces configured for DHCP will not attempt to establish a ZTP session simply because DHCP is enabled but, instead, also require a factory default configuration. Therefore, if DHCP is authorized, removing the following [edit system] options, setting a root password, and committing will prevent the device from attempting ZTP. Verify the following are removed. [edit system] : : auto-configuration; << Delete this command. phone-home { << Delete this stanza. server <server URL>; rfc-compliant; } If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.

Fix Text

Disable all configuration auto-loading or zero-touch deployment features. delete system auto-configuration delete system phone-home Note: The "phone-home" command is hidden and must be fully typed into the CLI (autocomplete will not work). Configure the router with a nondefault configuration and commit.

Additional Identifiers

Rule ID: SV-254030r844123_rule

Vulnerability ID: V-254030

Group Title: SRG-NET-000362-RTR-000109

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-24 (2)

No User Or Process Identity
SC-5

Denial Of Service Protection