Junos OS

Expand all | Collapse all

Device Hardening, non-RADIUS logins/local

  • 1.  Device Hardening, non-RADIUS logins/local

    Posted 04-21-2021 14:50
    I'm going through the process of hardening the configurations for all of my SRX firewalls. I have enabled radius authentication with two factor so were tracking and authenticating before making any changes. I'm disabling remote root-login for my devices but that just brings me to some questions: Do you have local user-accounts that are enabled in the event that you lose communication with your radius servers and if so, do you have a password update frequency? Par t of my hardening is to prevent local account authorization unless radius is down, is that secure enough to allow the use of local logins?

    ------------------------------
    Thomas Anderson
    ------------------------------


  • 2.  RE: Device Hardening, non-RADIUS logins/local

     
    Posted 04-22-2021 05:39
    Yes, I like to have a local account as a backup for loss of communications with central auth systems.

    I don't like forced password change frequency but rather the newer recommendation of change when events indicate a possible compromise.  Examples:
    • Someone who knows the password leaves the company
    • Indications of unauthorized access to a device with the password
    • Indications of unauthorized access to device backups
    More on the NIST password change recommendations in overview
    https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/
    full document
    https://pages.nist.gov/800-63-3/sp800-63b.html

    To insure the local account is only used when RADIUS is down you would configure
    • order to be RADIUS then local
    • Create the SAME local account in RADIUS (could be a different password)
    This will insure the local is only checked when RADIUS is unreachable.  If RADIUS is reachable and has no such user it moves on to the next authentication method and checks so users could login local even with RADIUS up.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------