Transcription of JUNOS Router Security - Poplar
1 Application NoteJUNOS Router SecurityBest Common Practices for Hardening the InfrastructurePejhan PeymaniSystems EngineerMatt KolonMarketing EngineerJuniper Networks, North Mathilda AvenueSunnyvale, CA 94089 USA408 745 2000 or 888 Number: 350013-003 05/03 Copyright 2002, Juniper Networks, Default Access with the Copy Protocol Inbound Traffic to the Routing Firewall Filters to Routing Engine a Firewall Against ICMP and SYN Against Malicious Against Packets with IP routers from Being Used as Attack Firewall Filters for Each Traffic to the Routing for Authentication and Command Protocol Events and of Traffic Being Time the Infrastructure4 Copyright 2002, Juniper Networks.
2 SummaryThe anonymity and flexibility of IP and the Internet make it possible for attackers to remotelydegrade Router performance or interrupt the network communication s of large numbers of end increasing frequency of attacks targeting service provider routers makes it essential to havetechniques for securing them. This document introduces common Security issues concerning routerconfiguration and operation, identifies Juniper Networks Router features that can be useful inpreventing and combating attacks, and outlines best common practice guidelines for the securedeployment of Juniper Networks configuration and operation techniques discussed in this paper are not the only way toaccomplish Router Security , nor are they required by Juniper Networks.
3 They are rather best commonpractices recommended by us based on our experience with our customers and recent increase in reported attacks against routers and other network components has coincidedwith the current focus on the Security of all types of public infrastructure to create an extremelychallenging Security environment for network service providers. A number of facets of the networksecurity question apply to the configuration of routers and to the design of routed networks. Toprotect their networks from attacks by those wishing to disrupt or destroy them, service providersmust take an active role in identifying and utilizing network and Router design features that canenhance the Security of their networks.
4 NOTEThe practices discussed in this paper help secure the Router infrastructure, which is only one partof an overall network Security strategy. Network services also require host systems to manage thenetwork, provide domain name resolution, exchange e-mails with customers, and perform otherfunctions. While some of the techniques discussed in this paper are applicable to protecting hostsas well as routers , the specific approaches in this paper focus on Router SecurityRouter Security can be divided into three elements: Physical Security of the Router Operating system Security Configuration hardeningThis paper does not provide recommendations on physical Security , other than to state the ratherobvious fact that restricting the physical access to any network equipment is the first step insecuring it.
5 Many exploits that are trivial to prevent from remote locations are extremely difficult toprevent if the attacker is able to access the management port or inherent Security of the Router operating system also plays an important role in the Security ofthe Router . If the operating system itself is not secure the Router can be compromised regardless ofcareful and secure configuration. For instance, one of the common techniques hackers use tocompromise routers is to elicit buffer overflows by finding weaknesses in Router operating systemcode. To prevent such exploitation, the operating system must be extremely stable and Networks takes extreme care to ensure that each release of software is as stable and bug-freeHardening the InfrastructureCopyright 2002, Juniper Networks, possible, but a few additional techniques and guidelines will ensure that even the rare softwarefault will not expose the system to attack.
6 A secure operating system also provides features to helpoperators protect the system from attacks, so a knowledgeable user can minimize whatevervulnerability exists as a result of necessary configuration paper concentrates on the third aspect of Router Security : configuration hardening is the process of applying sound Security policies using the tools that aremade available by the Router operating system. Given a robust set of Security tools, virtually anyrouter configuration can operate securely. Even with such tools, it is possible to misconfigure aperfectly secure operating system and thereby make a Router remainder of this paper discusses four aspects of configuration hardening: Router access Security Routing protocol Security Protecting the routing engine Security auditingThe Security recommendations and considerations in this paper are specific to IPv4.
7 Although manyof the issues and recommendations are quite similar for IPv6, they are not explicitly discussed here. NOTEWe assume for the remainder of this paper that the reader is comfortable with JUNOS softwareconfiguration features and syntax. Make sure you understand the consequences of using thecommands and configuration options described here. Improper use of them can disrupt networkoperation by restricting traffic flow, or making it difficult to log in to the Router . For completeconfiguration and operational commands, please see the technical documentation Default SettingsThe JUNOS software presents a hardened target to the attacker immediately after it is installed anda root account password has been configured.
8 The following is a list of common Router concerns thatthe JUNOS software addresses in its default The JUNOS software does not forward directed broadcasts. Directed broadcast services can beused to attack other users across the Internet by sending ping requests from a spoofed sourceaddress to a broadcast address such as If such broadcast pings are allowed onthe network, a single ping request can elicit up to 254 responses, all aimed at thesupposed source of the ping which actually becomes the victim of a denial-of-service (DoS)attack. On large-scale or multiple networks, the problem becomes even Remote management access to the Router is disabled by default and must be explicitly console access to the Router is enabled in a default configuration.
9 This restriction appliesto all management access protocols such as telnet, ftp, and even The JUNOS software does not support SNMP set capability for editing configuration the JUNOS software does support SNMP set capability for conducting networkmonitoring and troubleshooting, this exposes no known Security issues and can be disabled inthe The JUNOS software by default has a rate-limiter applied on ARP packets that go to the routingengine. This prevents an ARP storm attack either through misconfiguration or maliciousbehavior. To further rate-limit ARP messages, an ARP policer can be placed on EthernetinterfacesHardening the Infrastructure6 Copyright 2002, Juniper Networks, Martian addresses are reserved host or network addresses about which all routing informationshould be ignored.
10 To add specific addresses to the list of default martian addresses add thefollowing to your Router configuration:routing-options {martians { destination-prefix match-type; }}By default, JUNOS martian addresses contain the following Access SecuritySecure remote access is essential to managing and maintaining a Router infrastructure. As mentionedabove, the JUNOS software provides initial remote access Security by disabling all remote access bydefault. This ensures that no remote access is possible unless deliberately turned on by anauthorized user. There are two ways to establish remote communication with a Router : out-of-bandand inband ManagementOut-of-band allows connection to the Router through an interface dedicated to Router Networks routers support out-of-band management with a dedicated management Ethernetinterface (fxp0), as well as with EIA-232 console and auxiliary ports.