Junos OS Features for Router Security

Router security consists of three major elements: physical security of the router, operating system security, and security that can be effected through configuration. Physical security involves restricting access to the router. Exploits that can easily be prevented from remote locations are extremely difficult or impossible to prevent if an attacker can gain access to the router’s management port or console. The inherent security of the Junos operating system also plays an important role in router security. The Junos OS is extremely stable and robust. The Junos OS also provides features to protect against attacks, allowing you to configure the router to minimize vulnerabilities.

The following are Junos OS features available to improve router security:

Methods of Remote Access for Router Management

When you first install the Junos OS, all remote access to the router is disabled, thereby ensuring that remote access is possible only if deliberately enabled by an authorized user. You can establish remote communication with a router in one of the following ways:

Out-of-band management—enables connection to the router through an interface dedicated to router management. Juniper Networks routers support out-of-band management with a dedicated management Ethernet interface, as well as EIA-232 console and auxiliary ports. On all routers other than the TX Matrix Plus router and T1600 routers connected to a TX Matrix Plus router in a routing matrix, the management Ethernet Interface is labeled, fxp0. On a TX Matrix Plus router and T1600 routers in a routing matrix, the management Ethernet Interface is labeled em0. The management Ethernet interface connects directly to the Routing Engine. No transit traffic is allowed through this interface, providing complete separation of customer and management traffic and ensuring that congestion or failures in the transit network do not affect the management of the router.
Inband management—enables connection to the routers using the same interfaces through which customer traffic flows. Although this approach is simple and requires no dedicated management resources, it has some disadvantages:
- Management flows and transit traffic flows are mixed together. Any attack traffic that is mixed with the normal traffic can affect the communication with the router.
- The links between router components might not be totally trustworthy, leading to the possibility of wiretapping and replay attacks.

For management access to the router, the standard ways to communicate with the router from a remote console are with Telnet and SSH. SSH provides secure encrypted communications and is therefore useful for inband router management. Telnet provides unencrypted, and therefore less secure, access to the router.

Junos OS Supported Protocols and Methods for User Authentication

On a router, you can create local user login accounts to control who can log in to the router and the access privileges they have. A password, either an SSH key or a Message Digest 5 (MD5) password, is associated with each login account. To define access privileges, you create login classes into which you group users with similar jobs or job functions. You use these classes to explicitly define what commands their users are and are not allowed to issue while logged in to the router.

The management of multiple routers by many different personnel can create a user account management problem. One solution is to use a central authentication service to simplify account management, creating and deleting user accounts only on a single, central server. A central authentication system also simplifies the use of one-time password systems such as SecureID, which offer protection against password sniffing and password replay attacks (attacks in which someone uses a captured password to pose as a router administrator).

The Junos OS supports two protocols for central authentication of users on multiple routers:

Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+).
RADIUS, a multivendor IETF standard whose features are more widely accepted than those of TACACS+ or other proprietary systems. All one-time-password system vendors support RADIUS.

The Junos OS also supports the following authentication methods:

Internet Protocol Security (IPsec). IPsec architecture provides a security suite for the IPv4 and IPv6 network layers. The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPsec, the Junos OS also supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations (SAs).
MD5 authentication of MSDP peering sessions. This authentication provides protection against spoofed packets being introduced into a peering session.
SNMPv3 authentication and encryption. SNMPv3 uses the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. USM specifies authentication and encryption. VACM specifies access-control rules.

Junos OS Plain-Text Password Requirements

The Junos OS has special requirements when you create plain-text passwords on a router. The default requirements for plain-text passwords are as follows:

The password must be between 6 and 128 characters long.
You can include uppercase letters, lowercase letters, numbers, punctuation marks, and any of the following special characters:

! @ # $ % ^ & * , + = < > : ;

Control characters are not recommended.
The password must contain at least one change of case or character class.

You can change the requirements for plain-text passwords.

You can include the plain-text-password statement at the following hierarchy levels:

[edit system diag-port-authentication]
[edit system pic-console-authentication]
[edit system root-authentication]
[edit system login user username authentication]

Junos OS Support for Routing Protocol Security Features and IPsec

The main task of a router is to forward user traffic toward its intended destination based on the information in the router’s routing and forwarding tables. You can configure routing policies that define the flows of routing information through the network, controlling which routes the routing protocols place in the routing tables and which routes they advertise from the tables. You can also use routing policies to change specific route characteristics, change the BGP route flap-damping values, perform per-packet load balancing, and enable class of service (CoS).

Attackers can send forged protocol packets to a router with the intent of changing or corrupting the contents of its routing table or other databases, which can degrade the functionality of the router. To prevent such attacks, you must ensure that routers form routing protocol peering or neighboring relationships with trusted peers. One way to do this is by authenticating routing protocol messages. The Junos BGP, IS-IS, OSPF, RIP, and RSVP protocols support HMAC-MD5 authentication, which uses a secret key combined with the data being protected to compute a hash. When the protocols send messages, the computed hash is transmitted with the data. The receiver uses the matching key to validate the message hash.

The Junos OS supports the IPsec security suite for the IPv4 and IPv6 network layers. The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. The Junos OS also supports IKE, which defines mechanisms for key generation and exchange, and manages SAs.

Junos OS Support for Firewall Filters

Firewall filters allow you to control packets transiting the router to a network destination and packets destined for and sent by the router. You can configure firewall filters to control which data packets are accepted on and transmitted from the physical interfaces, and which local packets are transmitted from the physical interfaces and the Routing Engine. Firewall filters provide a means of protecting your router from excessive traffic. Firewall filters that control local packets can also protect your router from external aggressions, such as DoS attacks.

To protect the Routing Engine, you can configure a firewall filter only on the router’s loopback interface. Adding or modifying filters for each interface on the router is not necessary. You can design firewall filters to protect against ICMP and Transmission Control Protocol (TCP) connection request (SYN) floods and to rate-limit traffic being sent to the Routing Engine.

Junos OS Auditing Support for Security

The Junos OS logs significant events that occur on the router and within the network. Although logging itself does not increase security, you can use the system logs to monitor the effectiveness of your security policies and router configurations. You can also use the logs when reacting to a continued and deliberate attack as a means of identifying the source address, router, or port of the attacker’s traffic. You can configure the logging of different levels of events, from only critical events to all events, including informational events. You can then inspect the contents of the system log files either in real time or later.

Debugging and troubleshooting are much easier when the timestamps in the system log files of all routers are synchronized, because events that span the network might be correlated with synchronous entries in multiple logs. The Junos OS supports the Network Time Protocol (NTP), which you can enable on the router to synchronize the system clocks of routers and other networking equipment. By default, NTP operates in an unauthenticated mode. You can configure various types of authentication, including an HMAC-MD5 scheme.