Juniper Networks: Default configuration hardening.

Remove insecure system services
The default configuration allows telnet and http, remove these from the default configuration.

root> configure
Entering configuration mode

[edit]
root# delete system services telnet
[edit]
root# delete system services web-management http

[edit]
root# commit and-quit
commit complete
Exiting configuration mode

root>

Create users
Create an administrator account and prevent the use of root. Create operator account and readonly account.

root> configure
Entering configuration mode
[edit]
root# edit system login

[edit system login]
root# set user operator class ops authentication plain-text-password
New password:
Retype new password:

[edit system login]
root# set user admin-ro class read-only authentication plain-text-password
New password:
Retype new password:

[edit system login]
root# set user cyrus class super-user authentication plain-text-password
New password:
Retype new password:

[edit system login]
root# commit and-quit
commit complete
Exiting configuration mode

root>

Set up NTPd for time synchronization
Time is important for the syslog messages and event messages to be useful. By default there is no time zone. NTP version 4 will be used. NTPv4 details can be found here.

cyrus> configure
Entering configuration mode

[edit]
cyrus# set system time-zone Asia/Singapore ntp server pool.ntp.org version 4

Or you can use the IP address if DNS is not available, below is the example:

[edit]
cyrus# set system ntp server 203.211.149.87 version 4 prefer

[edit]
cyrus# set system ntp server 54.251.61.122 version 4

[edit]
cyrus# set system ntp server 203.123.48.218 version 4
[edit]
cyrus# set system ntp server 210.23.18.88 version 4
[edit]
cyrus# commit and-quit
commit complete
Exiting configuration mode

cyrus>

Disable root user from using ssh
Root account is the superuser of the SRX210H if a cracker gets root access your SRX chassis is pwned. To prevent potential successful cracking of root password, disable ssh access with root account.

[edit]
cyrus> configure
Entering configuration mode

[edit]
cyrus# edit system services ssh

[edit system services ssh]
cyrus# set root-login deny

[edit system services ssh]
cyrus# set protocol-version v2 connection-limit 3
cyrus# commit and-quit
commit complete
Exiting configuration mode

cyrus>

Disable ICMP redirect (type 5)
ICMP redirect allows the discovery of which network within a local network.

cyrus> configure
Entering configuration mode
[edit]
cyrus# set system no-redirects

[edit]
cyrus# commit and-quit
commit complete
Exiting configuration mode

cyrus>

System login
Set login banner to warn unauthorized user. This login banner warning can be used as an evidence against hackers.


cyrus> configure
Entering configuration mode
[edit]
cyrus# set system login message \n\t"UNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED"

Set the retry option to make password brute forcing difficult.

[edit]
cyrus# set system login retry-options backoff-threshold 3 backoff-factor 6

[edit]
cyrus# set system login retry-options minimum-time 30

[edit]
cyrus# set system login retry-options tries-before-disconnect 3

Use sha for password hashing and set minimum length of the password.

[edit]
cyrus# set system login password format sha1
[edit]
cyrus# set system login password minimum-length 8
[edit]
cyrus#

Ignore unusual tcp flags
Use this option when your protected network does not have any service for the public network. Your users within trusted zone should initiate tcp syn and tcp fin for open and close the session.

NMAP has an option to send TCP RST and listen to the response from the target host to determine what ports are opened.

[edit]
cyrus# set system internet-options tcp-drop-synfin-set
[edit]
cyrus# set system internet-options no-tcp-reset drop-all-tcp
[edit]
cyrus# commit and-quit
commit complete
Exiting configuration mode

cyrus>

Disable unused port and disable link discovery protocol
Unused ports should be shut down. LLDP is a layer2 protocol for discovering network devices, this can give hackers a clearer picture of the entire network, if not intended then disable it.

[edit]
cyrus# set interfaces fe-0/0/7 disable

[edit]
cyrus# set protocols lldp interface all disable

[edit]
cyrus# commit
commit complete

[edit]
cyrus#
Advertisements
This entry was posted in Firewall, Security and tagged , , , , . Bookmark the permalink.

One Response to Juniper Networks: Default configuration hardening.

  1. Clayton B says:

    Great stuff! I had some instances with one of my international firewalls and this shut the door on them!! Thanks again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s