JUNOS Default Settings

Immediately after installation and configuration of a root account password, the JUNOS software presents a hardened target by virtue of its default software settings. The following are some common router security weaknesses that the JUNOS software addresses in the default software settings:

• The JUNOS software does not forward directed broadcast messages. Directed broadcast services send ping requests from a spoofed source address to a broadcast address and can be used to attack other Internet users. For example, if broadcast ping messages were allowed on the 200.0.0.0/24 network, a single ping request could result in up to 254 responses, all aimed at the supposed source of the ping. The result would be that the source actually becomes the victim of a denial-of-service (DoS) attack.
• Only console access to the router is enabled by default. Remote management access to the router and all management access protocols, including telnet, FTP, and SSH (Secure Shell), are disabled by default.
• The JUNOS software does not support the SNMP set capability for editing configuration data. While the software does support the SNMP set capability for monitoring and troubleshooting the network, this support exposes no known security issues. (You can configure the software to disable this SNMP set capability.)
• The JUNOS software ignores martian addresses that contain the following prefixes: 0.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24, 223.255.55.0/24, and 240.0.0.0/4. Martian addresses are reserved host or network addresses about which all routing information should be ignored.