The network device must require authentication for console access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4582 | NET1623 | SV-28747r3_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage. |
| STIG | Date |
|---|---|
| Infrastructure Router - Juniper Security Technical Implementation Guide | 2017-09-28 |
Details
| Check Text ( C-29084r3_chk ) |
|---|
| Review the network device's configuration and verify authentication is required for console access. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows: [edit system] console { insecure; } |
| Fix Text (F-4515r4_fix) |
|---|
| Configure authentication for console access on the network device. |