Details
An encrypted password should be set for access to the routers diagnostic ports.
Rationale:
Most high end Juniper network devices contain Diagnostic Ports on one or more of the control boards installed in the system, such as FEB (Forwarding Engine Board) in M5 or M10 routers or SSB (System Switching Board) in M20 routers. These ports allow access to a range of diagnostic functions and could provide an attacker with physical access to the system a route to bypass other controls in order to compromise the router.
Because of this risk, it is possible to set a password for all Diagnostic Ports installed in the system. As with other similar items, the password is stored by JUNOS as a hash (in this case MD5) in the configuration file. Please note, only local authentication is supported for the Diagnostic Ports, which are intended for limited use only, often when the device is experience a serious outage where external AAA services may be unavailable.
Should a system not contain any diagnostic ports, this item of configuration is ignored by the device.
Solution
Configure a password for the diagnostic ports using one of the following commands under the [edit system] hierarchy; To enter a new password in plain text:
[edit system]
[email protected]#set diag-port-authentication plain-text-password
You will be prompted to enter the new password, which JUNOS will then hash with MD5 before placing the command in the candidate configuration. To enter an existing password hash which you have taken from an existing configuration file, type the following :
[edit system]
[email protected]#set diag-port-authentication encrypted-password ‘
Default Value:
By default no password is configured for diagnostic ports
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.