JUNOScope Software Usage Guidelines

Install Latest Appropriate Operating System Patches

Apply all appropriate operating system (such as Solaris or Linux) patches to keep the JUNOScope server less vulnerable to discovered exploits. Regularly check for and install updates. For more information, see the JUNOScope Software User Guide, “Installing, Reconfiguring, Reinstalling, Upgrading, or Uninstalling the JUNOScope Software” chapter.

Verify the JUNOScope Image Against Values Published on the Juniper Networks Web Site

To ensure the authenticity of the JUNOScope software, compare the hash value of the JUNOScope image with the MD5 or SHA-1 hash values posted on the Juniper Networks Web site at https://www.juniper.net/support/csc/swdist-encr/swdist-jtk/. You can validate the JUNOScope image obtained by HTTPS download , for example, jtk-install-9.5R4–sunos5.sh for Solaris.

To generate the hash value, use the following command:

hostname% openssl dgst9.5R4-openssl dgst jtk-install-9.5R4–sunos5.sh

Upgrading JUNOScope and Password Policies

When upgrading from JUNOScope 8.1 or earlier, the password policy is not enforced on any existing user accounts. It is recommended that the administrator change the password for existing user accounts in order to comply with the password policy.

Protecting JUNOScope Data Files

During the JUNOScope software installation, you are asked to specify how you want to protect JUNOScope data files. The available options are user, group, and all. Select the User option to specify that only the user who installed the JUNOScope software can read JUNOScope data files.

Always Use Strong Passwords

The initial admin account, created at install time, should have an extra-strong password as it cannot be disabled through repeated login failures. The password for the administrator should not match the username, and should not be a word that can be easily guessed.

In general, JUNOScope software passwords must be:

Easy to remember so that users are not tempted to write them down.
Contain between 6 and 128 characters, using at least two of the four defined character sets (uppercase, lowercase, numeric, other). The characters in the set "other" are those that can be entered using a single keystroke, or a keyboard character accessed using the Shift key, that does not fall into any of the other three groups.
Changed periodically.
Not divulged to anyone.

Weak passwords are:

Words that might be found in or exist as a permuted form in system files such as/etc/passwd.
The hostname of the system (always a first guess).
Any word that appears in a dictionary. This includes dictionaries other than English, and words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, or television shows.
Permutations of any of the above. For example, a dictionary word with vowels replaced with digits (f00t) or with digits added to the end.
Any machine-generated password. Algorithms reduce the search space of password-guessing programs and should not be used.

Strong reusable passwords can be:

Based on letters from a favorite phrase or word, and
Concatenated with other, unrelated words, along with added digits and punctuation.

Passwords should be changed from time to time. For more information, see the JUNOScope Software User Guide, “Installing, Reconfiguring, Reinstalling, Upgrading, or Uninstalling the JUNOScope Software” chapter.

Change the Default Install Time User from ‘admin’ to Another Name

The JUNOScope administrative default user account name is admin. The JUNOScope installation creates this initial JUNOScope administrative user account so the administrator can use it to add other users. Change the default user account name to another name during the installation process. For more information, see the JUNOScope Software User Guide, “Installing, Reconfiguring, Reinstalling, Upgrading, or Uninstalling the JUNOScope Software” chapter.

Disable Access to the Inventory Management System SQL Interface

During the JUNOScope software installation, you are asked to confirm whether you want to enable access to the Inventory Management System SQL interface. The default is no. If you select no, the SQL interface cannot be accessed by any other application or host except JUNOScope clients. If you select yes, the MySQL database can be accessed by any application with Inventory Management System user credentials.

Do Not Enable Debugging on JUNOScope at Installation

The JUNOScope software installation confirms whether you want to enable debug logging for technical support purposes. The default and recommended setting is no. For more information, see the JUNOScope Software User Guide, “Installing, Reconfiguring, Reinstalling, Upgrading, or Uninstalling the JUNOScope Software” chapter.

Use Only HTTPS to Connect from a Browser Client to the JUNOScope Server

The JUNOScope software accepts Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).

The JUNOScope software provides security between the client and the server. MD5 RSA certification is available between the JUNOScope server and the client Web browser. All communication is encrypted between the client Web browser and the JUNOScope server. The JUNOScope software installation creates an X.509 digital certificate to authenticate the HTTPS server. The JUNOScope software administrator can use self-assigned certificates, or have one assigned by a trusted certificate authority.

The JUNOScope software installation prompts for the HTTPS port that the JUNOScope software Web server uses for its transactions. It is recommended that you use the HTTPS port for communication between the JUNOScope Web browsers and the JUNOScope server. For more information, see the JUNOScope Software User Guide, “Installing, Reconfiguring, Reinstalling, Upgrading, or Uninstalling the JUNOScope Software” chapter.

Use Only SSL to Connect from the JUNOScope Software to Network Devices

The JUNOScope software uses the SSL JUNOScript access protocol to connect to configured devices on the network. The SSL protocol is preferred because it encrypts security information (such as a password) before transmitting it across the network. For more information about how to use the SSL access protocol to connect to devices, see the JUNOScope Software User Guide, “Setting Up Access Methods” chapter.

Do Not Export JUNOScope Data in Clear Text or with the Encryption Key in the Exported Data

When exporting sensitive data in authentication information from the JUNOScope software server, use the Encrypt sensitive data and provide key at import time export option. Sensitive data is exported encrypted and the key to decrypt it is not included in the exported data, but is supplied during import. For more information about exporting all data from the JUNOScope server, see the JUNOScope Software User Guide, “Importing and Exporting All Settings Data” chapter, or the specific JUNOScope operation chapter export section.

Disable User Accounts After Login Failure Attempts Within The Time Window Are Exceeded

Configure a Global User Authentication Policy to disable user accounts after the login failure attempts within the time window, as defined by the administrator, has been exceeded. Enable the global user authentication policy; it is disabled by default. For more information about creating global authentication policies, see the JUNOScope Software User Guide, “Setting Up a Global Authentication Policy” chapter.

Regularly Back Up the JUNOScope Software Server

Perform regular backups of application data stored by JUNOScope to prevent data loss in the event of a disaster. For more information about backing up JUNOScope application data, see the JUNOScope Software User Guide, “Backing Up and Restoring the JUNOScope Application Data” chapter.