Details

Configuration archival should use only secure transport over SCP.

Rationale:

Archiving the configuration to an external server creates a history of changes allowing an effective ‘post mortem’ to be carried out following any breach and aiding recovery to security and other incidents.

The archive can also be used to alert administrators of unauthorized changes and identify what was changed by utilizing hashes or diff in scripts or systems like Tripwire.

At least one Secure Copy (SCP) Archive Site should be configured on the router. No other transport methods should be used.

Solution

To enable a Secure Copy Archival Site on commit issue the following commands from the [edit system] hierarchy;

[edit system]
[email protected]#set archival configuration archive-site password

Default Value:

Archival is not configured by default

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Contingency Planning.This control applies to the following type of system Juniper.

References

• 800-53|CP-9
• CSCv7|10.1
• CSCv7|10.4

Source

• Tenable.com/audits