ON THIS PAGE
Junos OS Features for Router Security
Router security consists of three major elements: physical security of the router, operating system security, and security that can be affected through configuration. Physical security involves restricting access to the router. Exploits that can easily be prevented from remote locations are extremely difficult or impossible to prevent if an attacker can gain access to the router’s management port or console. The inherent security of Junos OS also plays an important role in router security. Junos OS is extremely stable and robust. Junos OS also provides features to protect against attacks, allowing you to configure the router to minimize vulnerabilities.
The following are Junos OS features available to improve router security:
Methods of Remote Access for Router Management
When you first install Junos OS, all remote access to the router is disabled, thereby ensuring that remote access is possible only if deliberately enabled by an authorized user. You can establish remote communication with a router in one of the following ways:
Out-of-band management—Enables connection to the router through an interface dedicated to router management. Juniper Networks routers support out-of-band management with a dedicated management Ethernet interface, as well as EIA-232 console and auxiliary ports. On all routers other than the TX Matrix Plus router, T1600 router, T1600 or T4000 routers connected to a TX Matrix Plus router in a routing matrix, T640 routers with a Routing Engine supporting 64-bit Junos OS, and PTX Series Packet Transport Routers, the management interface is fxp0. On a TX Matrix Plus router, T1600 router, T1600 or T4000 routers in a routing matrix, T640 routers with a Routing Engine supporting 64-bit Junos OS, and PTX Series Packet Transport Routers, the management Ethernet Interface is labeled em0. The management Ethernet interface connects directly to the Routing Engine. No transit traffic is allowed through this interface, providing complete separation of customer and management traffic and ensuring that congestion or failures in the transit network do not affect the management of the router.
Inband management—Enables connection to the routers using the same interfaces through which customer traffic flows. Although this approach is simple and requires no dedicated management resources, it has some disadvantages:
Management flows and transit traffic flows are mixed together. Any attack traffic that is mixed with the normal traffic can affect the communication with the router.
The links between router components might not be totally trustworthy, leading to the possibility of wiretapping and replay attacks.
For management access to the router, the standard ways to communicate with the router from a remote console are with Telnet and SSH. SSH provides secure encrypted communications and is therefore useful for inband router management. Telnet provides unencrypted, and therefore less secure, access to the router.
Junos OS Supported Protocols and Methods for User Authentication
On a router, you can create local user login accounts to control who can log in to the router and the access privileges they have. A password, either an SSH key or a Message Digest 5 (MD5) password, is associated with each login account. To define access privileges, you create login classes into which you group users with similar jobs or job functions. You use these classes to explicitly define what commands their users are and are not allowed to issue while logged in to the router.
The management of multiple routers by many different personnel can create a user account management problem. One solution is to use a central authentication service to simplify account management, creating and deleting user accounts only on a single, central server. A central authentication system also simplifies the use of one-time password systems such as SecureID, which offer protection against password sniffing and password replay attacks (attacks in which someone uses a captured password to pose as a router administrator).
Junos OS supports two protocols for central authentication of users on multiple routers:
Terminal Access Controller Access Control System Plus (TACACS+)
Remote Authentication Dial-In User Service (RADIUS), a multivendor IETF standard whose features are more widely accepted than those of TACACS+ or other proprietary systems. All one-time-password system vendors support RADIUS.
Junos OS also supports the following authentication methods:
Internet Protocol Security (IPsec). IPsec architecture provides a security suite for the IPv4 and IPv6 network layers. The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec, Junos OS supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations (SAs).
MD5 authentication of MSDP peering sessions. This authentication provides protection against spoofed packets being introduced into a peering session.
SNMPv3 authentication and encryption. SNMPv3 uses the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. USM specifies authentication and encryption. VACM specifies access-control rules.
Junos OS Plain-Text Password Requirements
Junos OS has special requirements when you create plain-text passwords on a router. The default requirements for plain-text passwords are as follows:
The password must be between 6 and 128 characters long.
You can include uppercase letters, lowercase letters, numbers, punctuation marks, and any of the following special characters:
! @ # $ % ^ & * , + = < > : ;
Control characters are not recommended.
The password must contain at least one change of case or character class.
You can change the requirements for plain-text passwords.
You can include the plain-text-password statement at the following hierarchy levels:
[edit system diag-port-authentication]
[edit system pic-console-authentication]
[edit system root-authentication]
[edit system login user username authentication]
Junos OS Support for Routing Protocol Security Features and IPsec
The main task of a router is to forward user traffic toward its intended destination based on the information in the router’s routing and forwarding tables. You can configure routing policies that define the flows of routing information through the network, controlling which routes the routing protocols place in the routing tables and which routes they advertise from the tables. You can also use routing policies to change specific route characteristics, change the BGP route flap-damping values, perform per-packet load balancing, and enable class of service (CoS).
Attackers can send forged protocol packets to a router with the intent of changing or corrupting the contents of its routing table or other databases, which can degrade the functionality of the router. To prevent such attacks, you must ensure that routers form routing protocol peering or neighboring relationships with trusted peers. One way to do this is by authenticating routing protocol messages. The Junos OS BGP, IS-IS, OSPF, RIP, and RSVP protocols support HMAC-MD5 authentication, which uses a secret key combined with the data being protected to compute a hash. When the protocols send messages, the computed hash is transmitted with the data. The receiver uses the matching key to validate the message hash.
Junos OS supports the IPsec security suite for the IPv4 and IPv6 network layers. The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. Junos OS also supports IKE, which defines mechanisms for key generation and exchange, and manages SAs.
Junos OS Support for Firewall Filters
Firewall filters allow you to control packets transiting the router to a network destination and packets destined for and sent by the router. You can configure firewall filters to control which data packets are accepted on and transmitted from the physical interfaces, and which local packets are transmitted from the physical interfaces and the Routing Engine. Firewall filters provide a means of protecting your router from excessive traffic. Firewall filters that control local packets can also protect your router from external aggressions, such as DoS attacks.
To protect the Routing Engine, you can configure a firewall filter only on the router’s loopback interface. Adding or modifying filters for each interface on the router is not necessary. You can design firewall filters to protect against ICMP and Transmission Control Protocol (TCP) connection request (SYN) floods and to rate-limit traffic being sent to the Routing Engine.
Junos OS Support Distributed Denial-of-Service Protection
A denial-of-service attack is any attempt to deny valid users access to network or server resources by using up all the resources of the network element or server. Distributed denial-of-service attacks involve an attack from multiple sources, enabling a much greater amount of traffic to attack the network. The attacks typically use network protocol control packets to trigger a large number of exceptions to the router’s control plane. This results in an excessive processing load that disrupts normal network operations.
Junos OS DDoS protection enables the router to continue functioning while under an attack. It identifies and suppresses malicious control packets while enabling legitimate control traffic to be processed. A single point of DDoS protection management enables network administrators to customize profiles for their network control traffic. Protection and monitoring persists across graceful Routing Engine switchover (GRES) and unified in-service-software-upgrade (ISSU) switchovers. Protection is not diminished as the number of subscribers increases.
To protect against DDoS attacks, you can configure policers for host-bound exception traffic. The policers specify rate limits for individual types of protocol control packets or for all control packet types for a protocol. You can monitor policer actions for packet types and protocol groups at the level of the router, Routing Engine, and line cards. You can also control logging of policer events.
Flow detection is an enhancement to DDoS protection that supplements the DDoS policer hierarchies by using a limited amount of hardware resources to monitor the arrival rate of host-bound flows of control traffic. Flow detection is much more scalable than a solution based on filter policers. Filter policers track all flows, which consumes a considerable amount of resources. In contrast, flow detection only tracks flows it identifies as suspicious, using far fewer resources to do so.
The flow detection application has two interrelated components, detection and tracking. Detection is the process where flows suspected of being improper are identified and subsequently controlled. Tracking is the process where flows are tracked to determine whether they are truly hostile and when these flows recover to within acceptable limits.
Junos OS Auditing Support for Security
Junos OS logs significant events that occur on the router and within the network. Although logging itself does not increase security, you can use the system logs to monitor the effectiveness of your security policies and router configurations. You can also use the logs when reacting to a continued and deliberate attack as a means of identifying the source address, router, or port of the attacker’s traffic. You can configure the logging of different levels of events, from only critical events to all events, including informational events. You can then inspect the contents of the system log files either in real time or later.
Debugging and troubleshooting are much easier when the timestamps in the system log files of all routers are synchronized, because events that span the network might be correlated with synchronous entries in multiple logs. Junos OS supports the Network Time Protocol (NTP), which you can enable on the router to synchronize the system clocks of routers and other networking equipment. By default, NTP operates in an unauthenticated mode. You can configure various types of authentication, including an HMAC-MD5 scheme.