Juniper EX Series Switches Network Device Management Security Technical Implementation Guide

Version

JUEX-NM-000270

Vuln IDs

V-253904

Rule IDs

SV-253904r1018762_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-57356r843743_chk

Determine if the network device or its associated authentication server enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review. [edit system login password] : minimum-length 15; : If the network device or its associated authentication server does not enforce a minimum 15-character password length, this is a finding.

Fix: F-57307r843744_fix

Configure the network device or its associated authentication server to enforce a minimum 15-character password length. set system login password minimum-length 15

b

The Juniper EX switch must be configured to enforce password complexity by requiring that at least one uppercase character be used.

Medium - CCI-004066 - V-253905 - SV-253905r1028866_rule

RMF Control

Severity

M

CCI

Version

JUEX-NM-000280

Vuln IDs

V-253905

Rule IDs

SV-253905r1028866_rule

Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-57357r1018696_chk

This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-upper-cases 1; : If the network device and associated authentication server does not require that at least one uppercase character be used in each password, this is a finding.

Fix: F-57308r1018697_fix

Configure the network device and associated authentication server to enforce password complexity by requiring that at least one uppercase character be used. set system login password minimum-upper-cases 1

b

The Juniper EX switch must be configured to enforce password complexity by requiring that at least one lowercase character be used.

Medium - CCI-004066 - V-253906 - SV-253906r1028873_rule

RMF Control

Severity

M

CCI

Version

JUEX-NM-000290

Vuln IDs

V-253906

Rule IDs

SV-253906r1028873_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-57358r1018705_chk

Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one lowercase character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-lower-cases 1; : If the network device and associated authentication server does not require that at least one lowercase character be used in each password, this is a finding.

Fix: F-57309r1018706_fix

Configure the network device and associated authentication server to enforce password complexity by requiring that at least one lowercase character be used. set system login password minimum-lower-cases 1

b

The Juniper EX switch must be configured to enforce password complexity by requiring that at least one numeric character be used.

Medium - CCI-004066 - V-253907 - SV-253907r1018765_rule

RMF Control

Severity

M

CCI

Version

JUEX-NM-000300

Vuln IDs

V-253907

Rule IDs

SV-253907r1018765_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-57359r843752_chk

Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one numeric character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-numerics 1; : If the network device and associated authentication server does not require that at least one numeric character be used in each password, this is a finding.

Fix: F-57310r843753_fix

Configure the network device and associated authentication server to enforce password complexity by requiring that at least one numeric character be used. set system login password minimum-numerics 1

b

The Juniper EX switch must be configured to enforce password complexity by requiring that at least one punctuation (special) character be used.

Medium - CCI-004066 - V-253908 - SV-253908r1018766_rule

RMF Control

Severity

M

CCI

Version

JUEX-NM-000310

Vuln IDs

V-253908

Rule IDs

SV-253908r1018766_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Checks: C-57360r843755_chk

Where passwords are used, confirm that the network device and associated authentication server enforces password complexity by requiring that at least one punctuation (special) character be used. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-punctuations 1; : If the network device and associated authentication server does not require that at least one special character be used in each password, this is a finding.

Fix: F-57311r843756_fix

Configure the network device and associated authentication server to enforce password complexity by requiring that at least one punctuation (special) character be used. set system login password minimum-punctuations 1

b

The Juniper EX switch must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

Medium - CCI-004066 - V-253909 - SV-253909r1082956_rule

RMF Control

Severity

M

CCI

Version

JUEX-NM-000320

Vuln IDs

V-253909

Rule IDs

SV-253909r1082956_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account. Note: For older Juniper EX versions, only four characters may be changed instead of the DOD-required eight characters. If so, four characters should be selected. This remains a finding when set to four characters, but is mitigated to a CAT 3.

Checks: C-57361r1082954_chk

For older Juniper EX versions, only four characters may be changed instead of the DOD-required eight characters. If so, four characters should be selected. This remains a finding when set to four characters, but is mitigated to a CAT 3. Where passwords are used, confirm the characters are changed in at least eight of the positions within the password. This requirement may be verified by demonstration, configuration review, or validated test results. [edit system login password] : minimum-character-changes 8; : If the network device and associated authentication server does not require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.

Fix: F-57312r1082955_fix

Configure the network device and associated authentication server to require that when a password is changed, the characters are changed in at least eight of the positions within the password. set system login password minimum-character-changes 8 Note: For older Juniper EX versions, only four characters may be changed instead of the DOD-required eight characters. If so, four characters should be selected. This remains a finding when set to four characters, but is mitigated to a CAT 3.

c

The Juniper EX switch must be configured to only store cryptographic representations of passwords.

High - CCI-004062 - V-253910 - SV-253910r1018768_rule

RMF Control

Severity

H

CCI

CCI-004062

Version

JUEX-NM-000330

Vuln IDs

V-253910

Rule IDs

SV-253910r1018768_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised. In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.

Checks: C-57362r843761_chk

Review the network device’s files using a text editor or a database tool that allows viewing data stored in database tables. Determine if password strings are readable/discernable. Determine if the network device, and any associated authentication servers, enforce only storing cryptographic representations of passwords. Verify that databases, configuration files, and log files have encrypted representations of all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device related database table. Also identify if the network device uses the MD5 hashing algorithm to create password hashes. By default, Junos uses SHA-512 as the password hashing algorithm to save only hashed representations of passwords. Verify the hashing algorithm at [edit system login password] format. [edit system login password] : format sha512; If the network device, or any associated authentication servers, stores unencrypted (clear text) representations of passwords, this is a finding. If the network device uses MD5 hashing algorithm to create password hashes, this is a finding.

Fix: F-57313r843762_fix

Configure the network device, and any associated authentication servers, to store all passwords using cryptographic representations. set system login password format <sha-256|sha-512> Note: Although Junos supports the SHA-1 hashing algorithm, it is included only for backwards compatibility when restoring a previous configuration from an older version. Configure all associated databases, configuration files, and log files to use only encrypted representations of passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device-related database table.

c

The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module.

IA-7 - High - CCI-000803 - V-253911 - SV-253911r1082959_rule

RMF Control

IA-7

Severity

H

CCI

CCI-000803

Version

JUEX-NM-000340

Vuln IDs

V-253911

Rule IDs

SV-253911r1082959_rule

Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-validated and NIST-recommended authentication algorithms.

Checks: C-57363r1082957_chk

Verify the password format, and that SSH uses FIPS validated algorithms and random number generator (RNG) as shown in the following example configuration. user@host> show configuration system login { password { : format <sha-256|sha-512>; } } services { ssh { : ciphers [ aes256-ctr aes256-cbc]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; : } } rng { hmac-drbg; } If the network device is not configured to use FIPS 140-2/140-3 validated authentication algorithms, this is a finding.

Fix: F-57314r1082958_fix

Configure the password format, SSH algorithms, and the RNG to use only FIPS validated algorithms. 1. Enter configuration mode. 2. Configure the password format. 3. Configure the SSH algorithms. 4. Configure the RNG. 5. Commit the configuration. user@host> configure user@host# set system login password format <sha-256|sha-512> user@host# set system services ssh ciphers aes256-ctr user@host# set system services ssh ciphers aes256-cbc user@host# set system services ssh macs hmac-sha2-512 user@host# set system services ssh macs hmac-sha2-256 user@host# set system services ssh key-exchange ecdh-sha2-nistp521 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system rng hmac-drbg user@host# commit

c

The Juniper EX switch must be configured to end all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill mission requirements.

SC-10 - High - CCI-001133 - V-253913 - SV-253913r1082962_rule

RMF Control

SC-10

Severity

H

CCI

CCI-001133

Version

JUEX-NM-000360

Vuln IDs

V-253913

Rule IDs

SV-253913r1082962_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-57365r1082960_chk

Determine if the network device terminates the connection associated with a device management session at the end of the session or after five minutes of inactivity. This requirement may be verified by demonstration or configuration review. Junos permits the administrator to log out at the end of the session, which terminates the session and the network connection. Junos forcibly terminates the session and network connection upon exceeding the inactivity timeout threshold. Inactivity timeouts are assigned to login classes and apply to every administrative access method; there is no provision to set inactivity timeout differently for local (console) and network (remote) device management sessions. Verify the idle-timeout for the root user, and each login class, has an appropriate idle-timeout value. user@host> show configuration system login ... idle-timeout 5; class <name> { idle-timeout 5; ... } Note: Inactivity timeout (idle-timeout) must be assigned to every login class. If the network device does not terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity, this is a finding.

Fix: F-57316r1082961_fix

Configure the network device to terminate the connection associated with a device management session at the end of the session or after five minutes of inactivity. There is no configuration required to support explicit logout ("quit" at the end of the session). 1. Enter configuration mode. 2. Configure inactivity timeout for root. 3. Configure inactivity timeout for all login classes. 4. Commit the configuration. user@host> configure user@host# set system login idle-timeout 5 user@host# set system login class <class name> idle-timeout 5 user@host# commit

c

The Juniper device must be configured to only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive).

SC-28 - High - CCI-001199 - V-253914 - SV-253914r961128_rule

RMF Control

SC-28

Severity

H

CCI

CCI-001199

Version

JUEX-NM-000370

Vuln IDs

V-253914

Rule IDs

SV-253914r961128_rule

This requirement is intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. Files on the network device or on removable media used by the device must have their permissions set to allow read or write access to those accounts that are specifically authorized to access or change them. Note that different administrative accounts or roles will have varying levels of access. File permissions must be set so that only authorized administrators can read or change their contents. Whenever files are written to removable media and the media removed from the device, the media must be handled appropriately for the classification and sensitivity of the data stored on the device.

Checks: C-57366r843773_chk

The Junos operating system maintains file permissions for all files on the device and cannot be configured otherwise. Because Juniper digitally signs and used cryptographic hashes, modified system files (specifically binary files) will invalidate the signature/hash and will not be executed. The Junos OS enforces the permissions assigned to each user to restrict access to system, configuration, and audit files via login classes. Every account must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based on organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Verify "no-world-readable" for archived log files. [edit system syslog] archive size <file size> files <number of files> no-world-readable; If any files allow read or write access by accounts not specifically authorized access or by nonprivileged accounts, this is a finding.

Fix: F-57317r843774_fix

Configure the device to enforce RBAC permissions so only authorized administrators can read or change file contents. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system syslog archive size <file size> files <number of files> no-world-readable

b

The Juniper EX switch must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.

CM-6 - Medium - CCI-000366 - V-253916 - SV-253916r987662_rule

RMF Control

CM-6

Severity

M

CCI

Version

JUEX-NM-000390

Vuln IDs

V-253916

Rule IDs

SV-253916r987662_rule

Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. The RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.

Checks: C-57368r843779_chk

Determine if the network device enforces role-based access control policy over defined subjects and objects. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If role-based access control policy is not enforced over defined subjects and objects, this is a finding.

Fix: F-57319r843780_fix

Configure the network device or its associated authentication server to enforce role-based access control policy over defined subjects and objects. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>

b

The Juniper EX switch must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-253918 - SV-253918r961392_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

JUEX-NM-000410

Vuln IDs

V-253918

Rule IDs

SV-253918r961392_rule

To ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.

Checks: C-57370r843785_chk

Determine if the network device allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. This requirement may be verified by configuration review or vendor-provided information. This requirement may be met through use of a properly configured syslog server if the device is configured to use the syslog server. Junos does not permit configuring audit logging storage space. However, the majority of disk space is reserved for local audit log storage and file are rotated using a first-in-first-out (FIFO) function. Verify external syslog servers are configured. [edit system syslog] host <address 1> { any info; } host <address 2> { any info; } If audit record store capacity is not allocated in accordance with organization-defined audit record storage requirements, or the device is not configured to use external syslog server(s), this is a finding.

Fix: F-57321r843786_fix

Configure the network device to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. Configure external syslog server(s): set system syslog host <address 1> any info set system syslog host <address 2> any info

b

The Juniper EX switch must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-253919 - SV-253919r961401_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

JUEX-NM-000420

Vuln IDs

V-253919

Rule IDs

SV-253919r961401_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-57371r843788_chk

Determine if the network device generates an immediate alert of all audit failure events requiring real-time alerts. Juniper network devices support monitoring the audit log storage partition (/var), monitoring the SNMP health status, or both. On devices supporting disk partition monitoring, verify the audit log partition (/var) free space is configured appropriately for the environment. For example, to generate "high disk usage" alerts at 80 percent capacity (20 percent free), and "full disk usage" at 90 percent capacity (10 percent free): [edit chassis] disk-partition /var { level full { free-space 10 percent; } level high { free-space 20 percent; } } Note: The configurable parameter is a percentage of free space remaining, not percentage used. "High" usage percent of remaining free space must be equal to, or greater than, the "full" usage percent of remaining free space. For network devices supporting SNMP health monitoring, verify the rising and falling threshold values for monitored objects (e.g., CPU, memory, and disk storage usage). In the example below, any monitored object exceeding 75 percent usage will generate an alert. Another alert is generated when the usage falls below 74 percent. As configured in the example, Junos samples every 300 seconds. The falling threshold value must be less than the rising threshold value. Verify the thresholds are appropriate for the target environment. [edit snmp] health-monitor { interval 300; rising-threshold 75; falling-threshold 74; } Note: Monitored objects generate an event the first time they cross a threshold, not at every sample interval. This requirement may be verified by configuration review or validated test results. If an immediate alert of all audit failure events requiring real-time alerts is not generated, this is a finding.

Fix: F-57322r843789_fix

Configure the network device to generate an immediate real-time alert of all audit failure events requiring real-time alerts. set chassis disk-partition /var level full free-space <0..100> set chassis disk-partition /var level full free-space percent set chassis disk-partition /var level high free-space <0..100> set chassis disk-partition /var level high free-space percent Note: "High" disk free-space value must be equal to or greater than "full" free-space value. set snmp health-monitor interval <1..2147483647 seconds> set snmp health-monitor rising-threshold <1..100 percent> set snmp health-monitor falling-threshold <0..100 percent> Note: Falling threshold value must be less than the rising-threshold value or commit fails.

b

The Juniper EX switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.

Medium - CCI-004928 - V-253920 - SV-253920r1018769_rule

RMF Control

Severity

M

CCI

CCI-004928

Version

JUEX-NM-000430

Vuln IDs

V-253920

Rule IDs

SV-253920r1018769_rule

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: A time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Checks: C-57372r997747_chk

Determine if the network device is configured to synchronize internal information system clocks with the primary and secondary time sources. Verify the Network Time Protocol (NTP) configuration. [edit system ntp] authentication-key 1 type sha256 value "PSK"; ## SECRET-DATA authentication-key 2 type sha1 value "PSK"; ## SECRET-DATA server <address 1> key 1 prefer; ## SECRET-DATA server <address 2> key 2; ## SECRET-DATA trusted-key [ 1 2 ]; source-address <lo0 or OOBM address>; If the network device is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding.

Fix: F-57323r843792_fix

Configure the network device to synchronize internal information system clocks with the primary and secondary time sources. set system ntp authentication-key 1 type sha256 set system ntp authentication-key 1 value "PSK" set system ntp authentication-key 2 type sha1 set system ntp authentication-key 2 value "PSK" set system ntp server <address 1> key 1 set system ntp server <address 1> prefer set system ntp server <address 2> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2 set system ntp source-address <lo0 or OOBM address>

b

The Juniper EX switch must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 - Medium - CCI-001890 - V-253921 - SV-253921r961443_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

JUEX-NM-000440

Vuln IDs

V-253921

Rule IDs

SV-253921r961443_rule

If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.

Checks: C-57373r843794_chk

Determine if the network device records time stamps for audit records that can be mapped to UTC or GMT. This requirement may be verified by demonstration or configuration review. Verify the time zone is UTC. [edit system] time-zone UTC; If the network device does not record time stamps for audit records that can be mapped to UTC or GMT, this is a finding.

Fix: F-57324r843795_fix

Configure the network device to record time stamps for audit records that can be mapped to UTC or GMT. set system time-zone UTC

b

The Juniper EX switch must be configured to prohibit installation of software without explicit privileged status.

Medium - CCI-003980 - V-253922 - SV-253922r1018770_rule

RMF Control

Severity

M

CCI

CCI-003980

Version

JUEX-NM-000450

Vuln IDs

V-253922

Rule IDs

SV-253922r1018770_rule

Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.

Checks: C-57374r997749_chk

Determine if the network device prohibits installation of software without explicit privileged status. This requirement may be verified by demonstration or configuration review. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Installation of firmware requires the maintenance permission bit. However, even with that bit set, software installation can be limited by the "deny-commands" statement (e.g., deny-commands "^request system software"). The command takes a regular expression (REGEX) enclosed in double quotes ("). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If installation of software is not prohibited without explicit privileged status, this is a finding.

Fix: F-57325r843798_fix

Configure the network device to prohibit installation of software without explicit privileged status. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>

b

The Juniper EX switch must be configured to enforce access restrictions associated with changes to device configuration.

CM-5 - Medium - CCI-001813 - V-253923 - SV-253923r961461_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

JUEX-NM-000460

Vuln IDs

V-253923

Rule IDs

SV-253923r961461_rule

Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device. Accordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Checks: C-57375r843800_chk

Determine if the network device enforces access restrictions associated with changes to device configuration. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Configuration changes require permissions sets appropriate for each stanza. For example, the "system" bit permits one to view [edit system] and the "system-control" bit permits editing (add, delete, modify). Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If the network device does not enforce such access restrictions, this is a finding.

Fix: F-57326r843801_fix

Configure the network device to enforce access restrictions associated with changes to device configuration. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>

c

The Juniper EX switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

IA-3 - High - CCI-001967 - V-253925 - SV-253925r961506_rule

RMF Control

IA-3

Severity

H

CCI

CCI-001967

Version

JUEX-NM-000480

Vuln IDs

V-253925

Rule IDs

SV-253925r961506_rule

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Checks: C-57377r843806_chk

Review the network device configuration to verify SNMP messages are authenticated using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). By default, SNMP is disabled. If used, verify SNMPv3 is configured (minimally) for authentication-sha. Although HMAC-MD5-96 is supported as required by RFC, Junos also supports HMAC-SHA, HMAC-SHA224/256/384/512. Configure the strongest HMAC supported by both the Juniper device and the Network Management System (NMS). [edit snmp v3] usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "$8$aes256-gcm$hmac-sha2-256$100$2CM/LosUGF4$A...<snip>...rflBKxq/w+jaAVF55Bsc6PA"; ## SECRET-DATA } } } } If the network device is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Fix: F-57328r843807_fix

Configure the network device to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). set snmp v3 usm local-engine user <SNMPv3 username> authentication-sha authentication-password "PSK"

a

The Juniper EX switch must use an an NTP service that is hosted by a trusted source or a DOD-compliant enterprise or local NTP server.

IA-3 - Low - CCI-001967 - V-253926 - SV-253926r961506_rule

RMF Control

IA-3

Severity

L

CCI

CCI-001967

Version

JUEX-NM-000490

Vuln IDs

V-253926

Rule IDs

SV-253926r961506_rule

If a trusted time source is not used, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate which may hide attacks or result in inaccurate forensic analysis. The recommended solution is that the application or endpoint is configured to point to an enterprise or site-owned time server that is DOD-compliant (instead of directly to an NTP source as implied by the current wording of the requirement). Most products are unable to meet the requirement, but DISA can mitigate the risk by using a trusted time source. So the requirement should state that NTPS is used with USNO NTP as an alternative mitigation for this to be marked as Not a Finding. More information can be found at: https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/DoD-Customer-Servers/ DOD users should not use tick, tock, or ntp2. There are also instructions for obtaining authenticated NTP at the site listed above.

Checks: C-57378r904441_chk

Review the Juniper EX configuration to determine if it obtains time information from a trusted source. [edit system ntp] authentication-key 1 type sha256 value "PSK"; ## SECRET-DATA authentication-key 2 type sha1 value "PSK"; ## SECRET-DATA server <address 1> key 1 prefer; ## SECRET-DATA server <address 2> key 2; ## SECRET-DATA trusted-key [ 1 2 ]; If the network device does not support FIPS-validated algorithms, verify the network device configuration to determine NTP endpoints are authenticated before establishing the local, remote, or network connection using cryptographically based algorithms. [edit system ntp] authentication-key 3 type md5 value "PSK"; ## SECRET-DATA server <address 3> key 3; ## SECRET-DATA trusted-key [ 1 2 3 ]; If the Juniper EX switch is not configured to use an NTP service that is hosted by a trusted source or a DOD-compliant enterprise or local NTP server, this is a finding.

Fix: F-57329r904417_fix

Configure the network device to authenticate Network Time Protocol sources using FIPS-validated algorithms. set system ntp authentication-key 1 type sha256 set system ntp authentication-key 1 value "PSK" set system ntp authentication-key 2 type sha1 set system ntp authentication-key 2 value "PSK" set system ntp server <address 1> key 1 set system ntp server <address 1> prefer set system ntp server <address 2> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2 If the network device does not support FIPS-validated algorithms, configure NTP authentication using cryptographically based algorithms. set system ntp authentication-key 3 type md5 set system ntp authentication-key 3 value "PSK" set system ntp server <address 3> key 3 set system ntp trusted-key 3

b

The Juniper EX switch must be configured to prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-253927 - SV-253927r961521_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

JUEX-NM-000500

Vuln IDs

V-253927

Rule IDs

SV-253927r961521_rule

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Checks: C-57379r843812_chk

Review the network device configuration to determine if the network device or its associated authentication server prohibits the use of cached authenticators after an organization-defined time period. Verify idle-timeouts, SSH keepalive messages, and SSH rekey are configured to meet the requirements of the target network. [edit system] login { idle-timeout 10; } system { services { ssh { protocol-version v2; client-alive-count-max (0..255); client-alive-interval (0..65535 seconds); rekey { data-limit (51200..4294967295 bytes); time-limit (1..1440 minutes); } } } } For externally authenticated accounts, verify the external authentication server enforces appropriate authenticator timeouts. If cached authenticators are used after an organization-defined time period, this is a finding.

Fix: F-57330r843813_fix

Configure the network device or its associated authentication server to prohibit the use of cached authenticators after an organization-defined time period. set system login idle-timeout 10 set system services ssh protocol-version v2 set system services ssh client-alive-count-max (0..255) set system services ssh client-alive-interval (0..65535 seconds) set system services ssh rekey data-limit (51200..4294967295 bytes) set system services ssh rekey time-limit (1..1440 minutes)

c

The Juniper EX switches must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

MA-4 - High - CCI-002890 - V-253928 - SV-253928r961554_rule

RMF Control

MA-4

Severity

H

CCI

CCI-002890

Version

JUEX-NM-000510

Vuln IDs

V-253928

Rule IDs

SV-253928r961554_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers. Use only AES Counter (CTR) cipher block chaining modes in compliance with CVE-2008-5161, plugin 70658 based on vendor guidance in KB20853. This prevents certain plaintext attacks in OpenSSH.

Checks: C-57380r944349_chk

Verify the network device uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. If using SNMPv3, verify (minimally) that authentication-sha is configured. Juniper devices also support authentication-sha224/256/384/512. Verify the strongest mutually supported HMAC between the network device and the Network Management Server (NMS) is configured. [edit system snmp] v3 { usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "PSK"; ## SECRET-DATA } } } } } Verify SSHv2 is configured for protocol V2 only, ciphers [ aes256-ctr aes192-ctr aes128-ctr ], key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ], and macs [ hmac-sha2-512 hmac-sha2-256]. [edit system services ssh] : protocol-version v2; ciphers [ aes256-ctr aes192-ctr aes128-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; If the network device does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.

Fix: F-57331r944350_fix

Configure the network device to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. set snmp v3 usm local-engine user <SNMPv3 user> authentication-sha authentication-password "PSK" set snmp v3 usm local-engine user <SNMPv3 user> privacy-aes128 privacy-password "PSK" Note: Use the strongest HMAC mutually supported with the NMS (e.g., authentication-sha256, authentication-sha512) set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes128-ctr set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh key-exchange ecdh-sha2-nistp521 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp256

c

The Juniper EX switch must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions.

MA-4 - High - CCI-003123 - V-253929 - SV-253929r961557_rule

RMF Control

MA-4

Severity

H

CCI

CCI-003123

Version

JUEX-NM-000520

Vuln IDs

V-253929

Rule IDs

SV-253929r961557_rule

This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. Use only CTR cipher block chaining modes in compliance with CVE-2008-5161, plugin 70658 based on vendor guidance in KB20853. This prevents certain plaintext attacks in OpenSSH.

Checks: C-57381r944352_chk

Review the network device configuration to determine if cryptographic mechanisms are implemented using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. If using SNMPv3, verify (minimally) that authentication-sha is configured. Juniper devices also support authentication-sha224/256/384/512. Verify the strongest mutually supported HMAC between the network device and the Network Management Server (NMS) is configured. [edit system snmp] v3 { usm { local-engine { user <SNMPv3 user> { authentication-sha { authentication-key "PSK"; ## SECRET-DATA } } } } } Verify SSHv2 is configured for protocol V2 only, ciphers [ aes256-ctr aes192-ctr aes128-ctr ], key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ], and macs [ hmac-sha2-512 hmac-sha2-256 ]. [edit system services ssh] : protocol-version v2; ciphers [ aes256-ctr aes192-ctr aes128-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; If the network device is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.

Fix: F-57332r944353_fix

Configure the network device to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm. set snmp v3 usm local-engine user <SNMPv3 user> authentication-sha authentication-password "PSK" set snmp v3 usm local-engine user <SNMPv3 user> privacy-aes128 privacy-password "PSK" Note: Use the strongest HMAC mutually supported with the NMS (e.g., authentication-sha256, authentication-sha512) set system services ssh protocol-version v2 set system services ssh ciphers aes256-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes128-ctr set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh key-exchange ecdh-sha2-nistp521 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp256

b

The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

SC-5 - Medium - CCI-002385 - V-253930 - SV-253930r961620_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

JUEX-NM-000530

Vuln IDs

V-253930

Rule IDs

SV-253930r961620_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. The security safeguards cannot be defined at the DoD-level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

Checks: C-57382r843821_chk

Determine if the network device protects against or limits the effects of all known types of DoS attacks by employing organization-defined security safeguards. Verify session and (if supported) rate limits for management connections. SSH example: [edit system services ssh] connection-limit <1..250>; rate-limit <1..250>; Note: The SSH connection- and rate-limit directives affect secure file transfer protocols like SCP and SFTP. NETCONF over SSH example: [edit system services netconf] ssh { connection-limit <1..250>; rate-limit <1..250>; } Note: Rate limiting is the permissible number of connections per one minute interval. Verify policers (rate limiters) are appropriately applied to limit traffic; for example, to limit SSH connection attempts: [edit firewall] family inet { filter <filter name> { term 1 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name>; } protocol tcp; destination-port 22; tcp-initial; } then { policer policer-32k; syslog; accept; } } term 2 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name>; } protocol tcp; destination-port 22; } then { syslog; accept; } } term default { then { syslog; discard; } } } } family inet6 { filter <filter name-1> { term 1 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name-1>; } next-header tcp; destination-port 22; tcp-initial; } then { policer policer-32k; syslog; accept; } } term 2 { from { destination-address { <device OOBM or loopback address>; } source-prefix-list { <management address list name-1>; } next-header tcp; destination-port 22; } then { syslog; accept; } } term default { then { syslog; discard; } } } } Note: Additional terms will be required for other services like SNMP. policer policer-32k { if-exceeding { bandwidth-limit 32k; burst-size-limit 1500; } then discard; } [edit interfaces] <OOBM interface> { unit 0 { family inet { filter { input <filter name>; } address <IPv4 address>/<mask>; } family inet6 { filter { input <filter name-1>; } address <IPv6 address>/<prefix>; } } } Note: Although the example filter is shown applied to the management interface, the filter can be also be applied to the loopback interface. If applying to loopback, ensure the filter terms account for all traffic, services, and protocols that must reach the routing engine (e.g., OSPF, BGP, SNMP, etc.). If the network device does not protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

Fix: F-57333r843822_fix

Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards. SSH example: set system services ssh connection-limit <1..250> set system services ssh rate-limit <1..250> NETCONF over SSH example: set system services netconf ssh connection-limit <1..250> set system services netconf ssh rate-limit <1..250> Example firewall filters: set firewall family inet filter <filter name> term 1 from destination-address <device OOBM or loopback address> set firewall family inet filter <filter name> term 1 from source-prefix-list <management address list name> set firewall family inet filter <filter name> term 1 from protocol tcp set firewall family inet filter <filter name> term 1 from destination-port 22 set firewall family inet filter <filter name> term 1 from tcp-initial set firewall family inet filter <filter name> term 1 then policer policer-32k set firewall family inet filter <filter name> term 1 then syslog set firewall family inet filter <filter name> term 1 then accept set firewall family inet filter <filter name> term 2 from destination-address <device OOBM or loopback address> set firewall family inet filter <filter name> term 2 from source-prefix-list <management address list name> set firewall family inet filter <filter name> term 2 from protocol tcp set firewall family inet filter <filter name> term 2 from destination-port 22 set firewall family inet filter <filter name> term 2 then syslog set firewall family inet filter <filter name> term 2 then accept set firewall family inet filter <filter name> term default then syslog set firewall family inet filter <filter name> term default then discard set firewall family inet6 filter <filter name-1> term 1 from destination-address <device OOBM or loopback address> set firewall family inet6 filter <filter name-1> term 1 from source-prefix-list <management address list name-1> set firewall family inet6 filter <filter name-1> term 1 from next-header tcp set firewall family inet6 filter <filter name-1> term 1 from destination-port 22 set firewall family inet6 filter <filter name-1> term 1 from tcp-initial set firewall family inet6 filter <filter name-1> term 1 then policer policer-32k set firewall family inet6 filter <filter name-1> term 1 then syslog set firewall family inet6 filter <filter name-1> term 1 then accept set firewall family inet6 filter <filter name-1> term 2 from destination-address <device OOBM or loopback address> set firewall family inet6 filter <filter name-1> term 2 from source-prefix-list <management address list name-1> set firewall family inet6 filter <filter name-1> term 2 from next-header tcp set firewall family inet6 filter <filter name-1> term 2 from destination-port 22 set firewall family inet6 filter <filter name-1> term 2 then syslog set firewall family inet6 filter <filter name-1> term 2 then accept set firewall family inet6 filter <filter name-1> term default then syslog set firewall family inet6 filter <filter name-1> term default then discard Example interface configuration: set interfaces <OOBM interface> unit 0 family inet filter input <filter name> set interfaces <OOBM interface> unit 0 family inet address <IPv4 address>/<mask> set interfaces <OOBM interface> unit 0 family inet6 filter input <filter name-1> set interfaces <OOBM interface> unit 0 family inet6 address <IPv6 address>/<prefix>

b

The Juniper EX switch must be configured to generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-253933 - SV-253933r961824_rule

RMF Control

AU-12

Severity

M

CCI

Version

JUEX-NM-000560

Vuln IDs

V-253933

Rule IDs

SV-253933r961824_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-57385r843830_chk

Determine if the network device generates audit records when successful/unsuccessful logon attempts occur. Junos logs all logon attempts via the "authorization" syslog facility (or facility "any"). Verify logging level "any info" or "authorization info" is configured. [edit system syslog] file <file name> { authorization info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { authorization info; structured-data; } file <file name> { any info; structured-data; } If it does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.

Fix: F-57336r843831_fix

Configure the network device to generate audit records when successful/unsuccessful logon attempts occur. set system syslog file <file name> any info set system syslog file <file name> structured-data << (Optional) Only if structured data format is required set system syslog host <external syslog address> authorization info set system syslog host <external syslog address> structured-data << (Optional) Only if structured data format is required set system syslog time-format <(year|millisecond)>

b

The Juniper EX switch must be configured to generate audit records for privileged activities or other system-level access.

AU-12 - Medium - CCI-000172 - V-253934 - SV-253934r961827_rule

RMF Control

AU-12

Severity

M

CCI

Version

JUEX-NM-000570

Vuln IDs

V-253934

Rule IDs

SV-253934r961827_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-57386r843833_chk

Determine if the network device generates audit records for privileged activities or other system-level access. Junos logs all completed commands via the "interactive-commands" syslog facility and all configuration changes via "change-log". Successful and unsuccessful login attempts are logged using the "authorization" facility. Verify syslog is configured to capture these facilities using the logging level "info" or above. The lowest logging level, "any", is debug and will generate significant numbers of messages. The "any" logging facility (not to be confused with the severity level "any") includes authorization, change-log, and interactive-commands. Example configuration to generate audit records for privileged activities or other system-level access. [edit system syslog] file <file name> { authorization info; change-log info; interactive-commands info; } host <syslog address> { any info; explicit-priority; } time-format year millisecond; Note: The time-format command supports including the year and/or the time in milliseconds (both shown for clarity). The default format does not include the year and time is recorded in seconds. Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { authorization info; change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records for privileged activities or other system-level access, this is a finding.

Fix: F-57337r843834_fix

Configure the network device to generate audit records for privileged activities or other system-level access. set system syslog host <syslog address> any info set system syslog host <syslog address> explicit-priority set system syslog file <file name> any info set system syslog time-format year

b

The Juniper EX switch must be configured to generate audit records showing starting and ending time for administrator access to the system.

AU-12 - Medium - CCI-000172 - V-253935 - SV-253935r961830_rule

RMF Control

AU-12

Severity

M

CCI

Version

JUEX-NM-000580

Vuln IDs

V-253935

Rule IDs

SV-253935r961830_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-57387r843836_chk

Determine if the network device generates audit records showing starting and ending time for administrator access to the system. Junos logs all logon attempts via the "authorization" syslog facility. Verify logging level "any info" or "authorization info" is configured. Time stamps are created for every log entry, both successful and failed logon attempts, and logout. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records showing starting and ending time for administrator access to the system, this is a finding.

Fix: F-57338r843837_fix

Configure the network device to generate audit records showing starting and ending time for administrator access to the system. set system syslog file <file name> any info set system syslog host <external syslog address> any info set system syslog time-format year

b

The Juniper EX switch must be configured to generate audit records when concurrent logons from different workstations occur.

AU-12 - Medium - CCI-000172 - V-253936 - SV-253936r961833_rule

RMF Control

AU-12

Severity

M

CCI

Version

JUEX-NM-000590

Vuln IDs

V-253936

Rule IDs

SV-253936r961833_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., module or policy filter).

Checks: C-57388r843839_chk

Determine if the network device generates audit records when concurrent logons from different workstations occur. Junos logs all logon attempts via the "authorization" syslog facility. Verify logging level "any info" or "authorization info" is configured. Time stamps are created for every log entry, both successful and failed logon attempts, and logout. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year millisecond; Syslog outputs in standard format unless the "structured-data" directive is configured. Verify the "structured-data" command for all files and external syslog servers requiring that format. For example: [edit system syslog] host <syslog address> { change-log info; interactive-commands info; structured-data; } file <file name> { any info; structured-data; } If the network device does not generate audit records when concurrent logons from different workstations occur, this is a finding.

Fix: F-57339r843840_fix

Configure the network device to generate audit records when concurrent logons from different workstations occur. set system syslog file <file name> any info set system syslog host <external syslog address> any info set system syslog time-format year

b

The Juniper EX switch must be configured to offload audit records onto a different system or media than the system being audited.

AU-4 - Medium - CCI-001851 - V-253937 - SV-253937r961860_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

JUEX-NM-000600

Vuln IDs

V-253937

Rule IDs

SV-253937r961860_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Archiving is not required unless space is limited in the audit server.

Checks: C-57389r944355_chk

Mark as not a finding if the site has a solution in place to prevent the device from running out of audit storage. Verify the device is configured to send system events to external syslog. If the organization has a centralized repository (or repositories) for secure transfer of audit log files, verify each log file is configured to transfer files to the appropriate repository. Each log file must be configured separately. [edit system syslog] file <file name> { any info; archive size <65536..1073741824 bytes> files <1..1000> transfer-interval <5..2880 minutes> start-time "<yyyy-mm-dd.hh:mm>" archive-sites { "URL" password "hashed PSK" } ## SECRET-DATA } Note: The URL format is: <scp|sftp>://<username>@<address>/<path>. The trailing slash is omitted because Junos automatically adds that when it appends the filename. host <external syslog address> { any info; } Note: If using secure file transfer to offload log files, the Juniper device will immediately attempt to connect with the configured protocol, address, and credentials. If successful, Junos will prompt to accept an untrusted public key. If the administrator accepts that key, Junos adds it to [edit security ssh-known-hosts]. Alternately, configure the trusted public key at [edit security ssh-known-hosts] before configuring automatic file offload. If the device does not offload audit records onto a different system or media, this is a finding.

Fix: F-57340r944356_fix

Archiving is not required unless space is limited in the audit server. Configure the network device to offload audit records onto a different system or media than the system being audited. set file <file name> any info set system syslog file <file name> any info set system syslog file <file name> archive size <65536..1073741824 bytes> set system syslog file <file name> archive files <1..1000> set system syslog file <file name> archive transfer-interval <5..2880 minutes> set system syslog file <file name> archive start-time "<yyyy-mm-dd.hh:mm>" set system syslog file <file name> archive archive-sites "<scp|sftp>://<username>@<repository address>/<path without trailing slash (/)>" password "<PSK>" set system syslog host <external syslog address> any info

b

The Juniper EX switch must be configured to generate log records for a locally developed list of auditable events.

AU-12 - Medium - CCI-000169 - V-253939 - SV-253939r961863_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

JUEX-NM-000620

Vuln IDs

V-253939

Rule IDs

SV-253939r961863_rule

Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.

Checks: C-57391r843848_chk

Determine if the network device generates audit log events for a locally developed list of auditable events. Verify audit logging is enabled. [edit system syslog] file <file name> { any info; } host <external syslog address> { any info; } time-format year; Note: Without the "structured-data" directive (as shown), syslog outputs in standard format. Add the "structured-data" command to all files and external syslog servers requiring that format. For example: [edit system syslog] file <file name> { any info; structured-data; } If the logging facility and level is too broad, Junos supports REGEX or string match conditions to filter events. If used, verify the match conditions capture the required events. [edit system syslog] file <file name> { any info; match <REGEX>; -or- match-strings [ "string 1" "string 2" ]; } Note: When using match conditions, it may be necessary to use the "any" (debug) severity level, but this should not generate overwhelming numbers of messages because the filter will ignore all unmatched events. If the network device is not configured to generate audit log events for a locally developed list of auditable events, this is a finding.

Fix: F-57342r843849_fix

Configure the network device to generate audit log events for a locally developed list of auditable events. set system syslog file <file name> messages any info set system syslog file <file name> structured-data << (Optional) Only if structured data format is required set system syslog host <external syslog address> any info set system syslog host <external syslog address> structured-data << (Optional) Only if structured data format is required set system syslog time-format year If using REGEX or string match conditions: set system syslog file <name> any <info|any> set system syslog file <name> match <REGEX> -or- set system syslog file <name> match-strings [ "string 1" "string 2" ]

b

The Juniper EX switch must be configured to enforce access restrictions associated with changes to the system components.

CM-5 - Medium - CCI-000345 - V-253940 - SV-253940r961863_rule

RMF Control

CM-5

Severity

M

CCI

CCI-000345

Version

JUEX-NM-000630

Vuln IDs

V-253940

Rule IDs

SV-253940r961863_rule

Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, firewall filters, and policy filters.

Checks: C-57392r843851_chk

Check the network device to determine if only authorized administrators have permissions for changes, deletions and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. Juniper switches use role-based access controls (RBAC) to assign privilege levels. Account definitions in Junos are either "local" or "template", discriminated by the presence of an authentication stanza. Local accounts have an authentication stanza and support both external and local authentication. Template accounts do not have an authentication stanza and only support external authentication. Every account (local and template) must be assigned a login class by an authorized administrator. Verify each account is assigned a login class with appropriate permissions based upon organizational requirements. Login classes support optional allow- and deny- directives as shown in the examples. Organizational requirements may require different allow- and deny- directives or no directives at all. [edit system login] class <name> { idle-timeout 10; permissions all; deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key|system firmware upgrade re|system decrypt)|^rollback"; deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log" "system fips self-test after-key-generation" "system (archival|syslog|root-authentication|authentication-order|master-password)" "system services ssh (protocol-version|root-login)" "system login password" "system login user [a-zA-Z0-9_-]+ (authentication|class)" "system login class [a-zA-Z0-9_-]+ (permissions|deny-|allow-)" ]; } class <name-1> { idle-timeout 10; permissions [ configure maintenance security system-control trace view-configuration ]; allow-commands "^clear (log|security log)|^show cli authorization"; deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|list|rename|show)|^request (security|system set-encryption-key|system firmware upgrade re)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell|^request system (decrypt|halt|reboot|software|zeroize)"; deny-configuration-regexps [ "system (login|internet-options|scripts|services|time-zone|^[a-r]+)" "security services event-options" ]; security-role audit-administrator; } Example local and template accounts: user <account of last resort> { uid 2000; class <name>; authentication { encrypted-password "$6$HEQnJP/W$/QD...<snip>...5r./"; ## SECRET-DATA } } user <account name> { uid 2015; class <name-1>; } Note: Accounts without an authentication stanza are template accounts, must be externally authenticated, and cannot log in locally. If unauthorized users are allowed to change the hardware or software, this is a finding.

Fix: F-57343r843852_fix

Configure the network device to enforce access restrictions associated with changes to the system components. set system login class <name> permissions <permission sets or 'all'> set system login class <name> deny-commands <appropriate commands to deny> set system login class <name> deny-configuration-regexps <appropriate configuration hierarchy to deny> set system login user <account name> class <name>

c

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

CM-6 - High - CCI-000366 - V-253941 - SV-253941r1001014_rule

RMF Control

CM-6

Severity

H

CCI

Version

JUEX-NM-000640

Vuln IDs

V-253941

Rule IDs

SV-253941r1001014_rule

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Checks: C-57393r843854_chk

Review the network device configuration to verify the device is configured to use an authentication server as the primary source for authentication. Verify the RADIUS and/or TACACS+ server addresses. [edit system] radius-server { <RADIUS-1 address> secret "hashed PSK"; ## SECRET-DATA <RADIUS-2 address> secret "hashed PSK"; ## SECRET-DATA } tacplus-server { <TACPLUS-1 address> secret "hashed PSK"; ## SECRET-DATA <TACPLUS-2 address> secret "hashed PSK"; ## SECRET-DATA } Verify the authentication order places the external authentication server first. [edit system] authentication-order [ radius tacplus password ]; Note: Only the global authentication order is required; all administrative access methods will honor the global setting unless configured separately. If the network device is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.

Fix: F-57344r843855_fix

Configure the network device to use an authentication server. set system radius-server <RADIUS-1 address> secret "<PSK>" set system tacplus-server <TACPLUS-1 address> secret "<PSK>" Configure the authentication order to use the authentication server as primary source for authentication. set system authentication-order radius set system authentication-order tacplus set system authentication-order password

b

The Juniper EX switch must be configured to conduct backups of system level information contained in the information system when changes occur.

CM-6 - Medium - CCI-000366 - V-253942 - SV-253942r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

JUEX-NM-000650

Vuln IDs

V-253942

Rule IDs

SV-253942r961863_rule

System-level information includes default and customized settings and security attributes, including firewall filters that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial-of-service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Checks: C-57394r944358_chk

Review the network device configuration to determine if the device is configured to conduct backups of system-level information contained in the information system when changes occur. Verify the preferred centralized backup system is configured to retrieve the configuration file. There is no provision for backing up system binaries because Juniper provides the signed installation packages rather than individual files. Therefore, verify the centralized backup solution has the appropriate installation packages for the deployed platforms. When the configuration file is pulled from the centralized server, an example retrieval method is authenticated connections over NETCONF or manual retrieval using SSH. Junos supports authenticating external services via RADIUS or TACACS+, or via a local account. [edit system services netconf] ssh; rfc-compliant; Note: The rfc command is recommended for compatibility in large enterprises, but can be omitted if there are overriding operational considerations. If the network device will be saving system files to a centralized repository, verify the configuration file is automatically saved at each commit. [edit system archival] configuration { transfer-on-commit; archive-sites { "sftp://user@host/configuration_files" password "$9$w52...<snip>...mfzn/"; ## SECRET-DATA } } Note: The URL uses <scp|sftp>://<username>@<repository address>/<path without trailing slash (/)> format because Junos appends the slash with the system-generated filename. Junos supports file transfer either on commit, or at configured intervals. If the network device is not configured to conduct backups of system-level data when changes occur, this is a finding.

Fix: F-57345r944359_fix

Configure the network device to conduct backups of system-level information contained in the information system when changes occur. For NETCONF connections: set system services netconf ssh set system services netconf rfc-compliant Note: The rfc command is recommended for compatibility in large enterprise but can be omitted if there are overriding operational considerations. For device automated configuration offload: set system archival configuration transfer-on-commit set system archival configuration archive-sites "<scp|sftp>://<username>@<address>/<path without trailing slash (/)>" password "<PSK>"

b

The Juniper EX switch must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

CM-6 - Medium - CCI-000366 - V-253943 - SV-253943r961863_rule

RMF Control

CM-6

Severity

M

CCI

Version

JUEX-NM-000660

Vuln IDs

V-253943

Rule IDs

SV-253943r961863_rule

For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.

Checks: C-57395r843860_chk

Determine if the network device obtains public key certificates from an appropriate certificate policy through an approved service provider. Verify the certificate is signed by an approved CA via the "show security pki local-certificate" or "show security pki local-certificate detail" commands. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix: F-57346r843861_fix

Configure the network device to obtain its public key certificates from an appropriate certificate policy through an approved service provider. To view installed certificates: show security pki (ca-certificate | local-certificate) Generate a public/private keypair: request security pki generate-key-pair type <ecdsa|rsa> size <bit size> certificate-id <name> Note: ECDSA certificates support 256, 384, or 512 key sizes and RSA supports 1024, 2048, or 4096. Generate a certificate signing request: request security pki generate-certificate-request certificate-id <key name> digest <sha-1|sha-256|sha-384> domain-name <FQDN> ip-address <IPv4 address> ipv6-address <IPv6 address> subject <LDAP format> Note: The subject is LDAP formatted. For example, "CN=switch-01,DC=example,DC=com,O=Company,OU=HR,L=Some City,ST=Some State,C=US". Not all key => value pairs are required but those used must match organizational policy. After securely transferring the CSR to the certificate authority for signing, and securely transferring the certificate to the device, add the certificate: request security pki local-certificate load filename <path/filename of certificate> certificate-id <key name> The certificate can also be generated externally, with separate public and private key files, or a PKCS#12 package containing both certificate and private key. When importing externally generated certificate and private key, use the "key" directive to identify the path and filename of the private key. If the private key, or the PKCS#12 package, uses a passphrase, use the "passphrase" directive and provide the correct value.

c

The Juniper EX switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

SI-2 - High - CCI-002605 - V-253944 - SV-253944r1028872_rule

RMF Control

SI-2

Severity

H

CCI

CCI-002605

Version

JUEX-NM-000670

Vuln IDs

V-253944

Rule IDs

SV-253944r1028872_rule

The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Checks: C-57396r1028871_chk

1. Verify that the network device is configured to send log data to a redundant central log servers. 2. Verify the external syslog server is configured. The lowest severity level, "any", is debug and will generate a significant number of messages. [edit system syslog] host <external syslog address> { any info; structured-format; << Only if structured formatting is required, otherwise events are recorded in standard format. } time-format year; If the network device is not configured to send log data to redundant log servers, this is a finding.

Fix: F-57347r1018703_fix

Add the following stanzas to the configuration. set system syslog host <external syslog host1 IPv4 or IPv6 address> any info set system syslog host <external syslog host2 IPv4 or IPv6 address> any info Note: The time-format command supports including the year and/or the time in milliseconds. The default format does not include the year and time is recorded in seconds.

c

The Juniper EX switch must be configured with an operating system release that is currently supported by the vendor.

CM-6 - High - CCI-000366 - V-253945 - SV-253945r961863_rule

RMF Control

CM-6

Severity

H

CCI