SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Device Hardening, non-RADIUS logins/local

Jump to Best Answer
  • 1.  Device Hardening, non-RADIUS logins/local

    Posted 04-21-2021 14:50
    I'm going through the process of hardening the configurations for all of my SRX firewalls. I have enabled radius authentication with two factor so were tracking and authenticating before making any changes. I'm disabling remote root-login for my devices but that just brings me to some questions: Do you have local user-accounts that are enabled in the event that you lose communication with your radius servers and if so, do you have a password update frequency? Par t of my hardening is to prevent local account authorization unless radius is down, is that secure enough to allow the use of local logins?

    ------------------------------
    Thomas Anderson
    ------------------------------


  • 2.  RE: Device Hardening, non-RADIUS logins/local
    Best Answer

    Posted 04-22-2021 08:20
    Hi,
       You can check on the Junos Hardening -Day One Books here . >>>> Day One Books | Juniper Networks TechLibrary

      To answer your query;
           >Do you have local user-accounts that are enabled in the event that you lose communication with your radius servers 
           >Par t of my hardening is to prevent local account authorization unless radius is down, is that secure enough to allow the use of local logins?

                  -The default user is root , you can set password complexity from the device itself and create filter on trusted ip addresses who can have ssh/https access.
                  -You can set the authentication order here  ----->> Authentication Order for LDAPS, RADIUS, TACACS+, and Local Password | User Access and Authentication Administration Guide | Juniper Networks TechLibrary

     More power,
    Leangf
           
      


    ------------------------------
    Leangf Leangf
    ------------------------------



  • 3.  RE: Device Hardening, non-RADIUS logins/local

    Posted 04-22-2021 11:02
    Thanks for the reply, I was going through the device hardening and wasn't sure if local accounts were seen as a vulnerability due to the lack of centralized management. I went ahead and enabled a local account that I can use in the event of failure to reach a AAA server. I also used the CIS Controls Benchmarks for Juniper which actually recommended removing "password" from the "system authentication-order" hierarchy altogether as Juniper will prompt first for a password and then for a local password for the account in question. This was able to authenticate me and I was able to get into the router without AAA. Thanks for your feedback!

    ------------------------------
    Thomas Anderson
    ------------------------------



  • 4.  RE: Device Hardening, non-RADIUS logins/local

     
    Posted 05-06-2021 14:41
    Yes, I like to have a local account as a backup for loss of communications with central auth systems.

    I don't like forced password change frequency but rather the newer recommendation of change when events indicate a possible compromise.  Examples:
    • Someone who knows the password leaves the company
    • Indications of unauthorized access to a device with the password
    • Indications of unauthorized access to device backups
    More on the NIST password change recommendations in overview
    https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/
    full document
    https://pages.nist.gov/800-63-3/sp800-63b.html

    To insure the local account is only used when RADIUS is down you would configure
    • order to be RADIUS then local
    • Create the SAME local account in RADIUS (could be a different password)
    This will insure the local is only checked when RADIUS is unreachable.  If RADIUS is reachable and has no such user it moves on to the next authentication method and checks so users could login local even with RADIUS up.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Device Hardening, non-RADIUS logins/local

    Posted 05-06-2021 15:07
    Thanks for the recommendation Steve. I went ahead and implemented a local user account as a backup option and then removed the local option from password authentication.  This caused what looked like a failed login but when there was no access to radius it then produced a "Local Password:" prompt. I'm going off of the CIS Controls recommendation, Juniper CIS Benchmark 6.3.2. Going to implement the NIST standard for password changes. 


    ------------------------------
    Thomas Anderson
    ------------------------------