Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Junos Space Network Management Platform Hardening

    Junos Space Network Management Platform provides network hardening through the following:

    Ethernet Interfaces

    A Junos Space Appliance (hardware or virtual) contains four RJ45 10/100/1000 Ethernet interfaces named eth0, eth1, eth2, and eth3.

    You can use eth0 and eth3 interfaces for connecting the appliance with managed devices as follows:

    • Use eth0 for all network connectivity of the appliance as shown in Figure 1.

      Figure 1: Using the eth0 Interface for Connecting Devices

      Using the eth0 Interface for Connecting Devices
    • Use eth0 for connecting with UI clients and other appliances in the same cluster and use eth3 for connecting with managed devices as shown in Figure 2.

      Figure 2: Using the eth3 Interface for Connecting Devices

      Using the eth3 Interface for Connecting
Devices

    The eth1 interface is used to forward the administrative traffic of the Junos Space Appliance. This separates the administrative traffic from the Junos Space GUI traffic and the device management traffic.

    Firewall

    Junos Space uses the iptables utility to control incoming and outgoing network traffic.

    The iptables utility allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

    The jmp-firewall service (developed by Juniper Networks) controls the iptables firewall. The jmp-firewall service is on by default on a Junos Space Appliance. The Security option of the Junos Space Settings Menu of the Junos Space Appliance allows you to enable or disable the firewall. For information about enabling Junos Space network settings, see Changing Network and System Settings for a Junos Space Appliance for a JA2500 Junos Space Appliance or Changing Network and System Settings for a Junos Space Virtual Appliance for a Junos Space Virtual Appliance at Junos Space Network Management Platform.

    The following tables list the ports used by Junos Space Platform, Service Now, and Service Insight for communication with Juniper Support System (JSS) and devices:

    • Table 1—Ports used by Junos Space Platform
    • Table 2—Ports used by Service Now to connect to JSS in Direct mode
    • Table 3—Ports used by Service Now to connect to JSS in Partner Proxy mode
    • Table 4—Ports used by a Service Now end customer to connect to a Service Now partner
    • Table 5—Ports used for administrative access of a Service Now end customer and Service Now partner

    Refer to Junos Space Network Ports for more information.

    Table 1 lists the ports used by Junos Space Platform.

    Table 1: Ports Used by Junos Space Platform

    Protocol

    Port

    Purpose

    TCP

    7

    Inbound to device management IP; used for device discovery

    TCP

    22

    Inbound to the device management IP; used to establish a NETCONF over SSH connection to the router during device discovery

    UDP

    161

    Inbound to the device management IP; used to perform SNMP queries on the device during device discovery

    TCP

    443

    Inbound to the virtual IP (VIP) from external HTTPS clients

    TCP

    7804

    Inbound to the Junos Space server nodes IP; used for devices which use the outbound SSH or device-initiated connection model

    Table 2 lists the ports used by Service Now to connect to JSS (services.juniper.net)in Direct mode.

    Table 2: Ports Used by Service Now to Connect to JSS in Direct Mode

    Protocol

    Port

    Purpose

    TCP

    443

    Outbound connection from Service Now to JSS

    UDP

    53

    (Optional) Outbound from Service Now to DNS for resolution of JSS

    TCP

    21

    FTP control from device to ftp.juniper.net (or a specified FTP server)

    TCP

    20

    FTP data transfer from device to ftp.juniper.net (or a specified FTP server)

    To upload core files from a device to an SFTP server through Service Now to an SFTP server in secure mode, Service Now utilizes existing SSH TCP/22 ports of Junos Space Platform.

    TCP

    22

    Outbound connection from Service Now to sftp.juniper.net (or specified FTP server)

    Table 3 lists the ports used by Service Now to connect to JSS (services.juniper.net)in Partner Proxy mode.

    Table 3: Ports Used by Service Now to Connect to JSS in Partner Proxy Mode

    Protocol

    Port

    Purpose

    TCP

    443

    Inbound to a Service Now partner from Service Now end-customer IP addresses

    TCP

    443

    Outbound from a Service Now partner to JSS

    UDP

    53

    (Optional) Outbound from a Service Now partner to DNS

    For a direct FTP upload of core files from a device to an FTP server, the device must be connected to the FTP server for the transfer to succeed. In addition, Service Now must have access to the FTP server to create a case-specific directory on behalf of the device before the core file is uploaded.

    TCP

    21

    FTP control from a device to ftp.juniper.net (or the specified FTP server)

    TCP

    20

    FTP data transfer from a device to ftp.juniper.net (or the specified FTP server)

    To upload core files from a device to an SFTP server through Service Now to an SFTP server in secure mode, Service Now utilizes existing SSH TCP/22 ports of Junos Space Platform.

    TCP

    22

    Outbound from Service Now to sftp.juniper.net (or the specified FTP server)

    Table 4 lists the ports used by a Service Now end customer to connect to a Service Now partner.

    Table 4: Ports Used by a Service Now End Customer to Connect to a Service Now Partner

    Protocol

    Port

    Purpose

    TCP

    443

    Outbound from a Service Now end customer to a Service Now partner IP address

    UDP

    53

    (Optional) Outbound from a Service Now end customer to DNS

    TCP

    21

    FTP control from a device to an FTP server specified by the Service Now partner

    TCP

    20

    FTP data transfer from a managed device to the FTP server specified by the Service Now partner

    For a secure mode SFTP upload of core files from a managed device through Service Now to an SFTP server, Service Now uses the existing SSH TCP/22 ports specified by Junos Space Platform.

    TCP

    22

    Outbound from Service Now to an SFTP server specified by the Service Now partner

    Table 5 lists the ports used for administrative access of a Service Now end customer and Service Now partner.

    Table 5: Ports Used for Administrative Access of a Service Now End Customer and Service Now Partner

    Protocol

    Port

    Purpose

    TCP

    443

    Inbound for secure HTTPS Web access to the Junos Space GUI

    TCP

    22

    Inbound for secure command-line access to Junos Space

    TCP

    25

    (Optional) Outbound SMTP for delivery of e-mail notifications

    UDP

    161

    (Optional) Inbound SNMP access for remote monitoring of managed devices

    Network Policies

    The /etc/sysctl.conf file controls numerous network policies. Table 6 lists some of the important settings that are used to increase network security.

    Table 6: Network Policies in the sysctl.conf File

    Network Policy

    Description

    net.ipv4.conf.default.accept_source_route = 0

    net.ipv4.conf.all.accept_source_route = 0

    Disable source-routed packet acceptance.

    net.ipv4.conf.all.accept_redirects = 0

    net.ipv4.conf.default.accept_redirects = 0

    Disable ICMP redirect acceptance.

    net.ipv4.icmp_echo_ignore_broadcasts = 1

    Enable ignore broadcast requests.

    net.ipv4.icmp_ignore_bogus_error_responses = 1

    Enable bad error message protection.

    net.ipv4.conf.all.rp_filter = 1

    net.ipv4.conf.default.rp_filter = 1

    Enable RFC-recommended source route validation.

    net.ipv4.tcp_syncookies = 1

    Enable TCP SYN cookies.

    TCP Wrappers

    TCP wrappers (tcpd) provide host-based access control system for INET services. The hosts that are allowed access to INET services are configured in the /etc/hosts.allow file. The hosts that are denied access to INET services are configured in the /etc/hosts.deny file.

    Other Hardening Aspects

    Other aspects in which the Junos Space Platform is hardened to ensure security and confidentiality are as follows::

    • Operating System (OS)Hardening

      OS hardening is ensured as follows:

      • OS version: Junos Space Network Management Platform Release 14.1 runs on the latest version of CentOS that provides the required security fixes.
      • Junos Space access: Access to Junos Space from the console is restricted to only the root user. Non root users must use the su and sudo commands to run commands remotely on Junos Space.
      • Default file permissions: The default UNMASK for a file is set to 0027. We recommend that you do not modify the default UNMASK.
      • Disk Partitions: The file system is partitioned into /root, /var, /var/log, and /tmp to offer greater granularity for permissions.
      • Login attempts: The pam_tally2 module is configured to lock a user account after three unsuccessful log in attempts. The lock is retained for 20 minutes.
      • Bash shell: The bash shell is configured to automatically log out idle users. You can modify the settings in the /etc/ssh/sshd_config file.
      • Log rotation: Junos Space has log rotation enabled for the following to avoid filling up of the disk space with logs or making the logs large—/var/log/messages, /var/log/boot, /var/log/secure, and/var/log/maillog.
    • Database Hardening:

      Database hardening is ensured as follows:

      • Junos Space uses MySQL as its database. To make the database secure, in Junos Space Release 13.3 and later, it has been made mandatory even for the admin user to provide a password to obtain access to the MySQL database. We recommend that the password for the super user account (root) in MySQL be changed as follows:
        mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpass');
        mysql> SET PASSWORD FOR 'root'@'hostname' = PASSWORD('newpass');
        mysql> COMMIT
        

        where hostname is the name of the host and newpass is the new password.

      • The file privileges to the directories in the database are restricted to read and write.
      • The mysql daemon is configured to run in the chroot jail environment.
    • Secure Shell (SSH) Daemon Hardening

      The SSH daemon is hardened as follows:

      • Linux system accounts: Junos Space provides a number of user accounts such as root, ntp, postgres, apache, and so on. The /etc/password file contains details of the account. We recommend that the user accounts that are not required be deleted.
      • Shared key authentication: Junos Space provides the option for shared key authentication to improve security by restricting SSH access to only those systems that know the shared key. For information about shared key authentication, see Key-Based Authentication Overview.
      • Limit network access: The SSH daemon is limited to listen to connections on only internal interfaces. The interfaces that can listen to the SSH daemon are defined in the /etc/ssh/ssh_config file.
    • Web Server Hardening

      The Web server is hardened as follows:

      • Junos Space uses only the GET, POST, PUT and DELETE methods. All other HTTP methods are deactivated.
      • The display of server version information on HTTP headers is disabled.
      • The index option is disabled to avoid listing the files and directories in the root directory of a file.
      • The HTTP trace option is disabled.
      • The Web service is restricted to listen to connections on internal interfaces only.
      • You can provide an additional layer of security to Junos Space by using SSL certificates.

        For information about SSL certificates, see Certificate Management Overview and Installing Custom SSL Certificate on Junos Space Server.

    Modified: 2016-07-07