Security Considerations for the Juniper SSG-140
I recently added SNMP to my PRTG monitoring software, primarily for my Juniper SSG-140 firewalls. The custom MIB provided by PRTG is not very helpful, but they do have a beta sensor that is designed just for Juniper equipment that gives some excellent information about the hardware health and traffic. While looking so closely at this particular device I noticed some security concerns.
The PRTG sensor identified 2 security problems – the first being the use of sslv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS).
SSL is only being used for the web management interface on the firewall, but it is used quite frequently and once signed in to the interface one has the ability to do a lot of damage to the system. So we need to disable it. Turns out it is fairly simple, though it does need to be done on the command line, preferably via ssh.
Starting with ScreenOS 6.3.0r19, SSLv3 can be manually disabled via the ‘unset ssl ssl3’ CLI command.
The next concern is the expired, 1024 bit, self-signed certificate. Now we can use a self signed certificate because the interface is only used internally on our network – in fact the ssg-140 generates the certificate at initial configuration and it works well. The problem is that it is 1024 bit. As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with readily-available processing capabilities. The cybersecurity industry is moving to adoption of SSL certificates employing at least 2048-bit encryption to help preserve internet security.
As a result, these bodies have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after Dec. 31, 2013. So – we are way behind in this and need to address it right away. (Please bear in mind I inherited this firewall this year after nearly 8 years of neglect by my company’s IT department).
Regenerating the self-signed certificate usually involves resetting the firewall to factory and reloading the configuration, but since this is a production device we do not have the luxury of taking an outage. It can be done though:
HOW TO manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall
Next is the encryption level. Here is the message from PRTG:
We don’t have a lot of choices and the ssg-140 is nearing end of life – it may not get an update that brings it to SHA-2 level, but we can at least go to 3DES-SHA-1 that puts us at 160 bit encryption.
Finally – we run through the Juniper Best Practices and see if we have everything else locked down.
Change the default username and password.
set admin name <name>
set admin name a$df@d
set admin password <plain-text password>
set admin password abcdefgh123
Disable root user login except by direct console
- This limits the root user to only be able to log in via the console port of the device. All other users can log in to configured services.
set admin root access console
- This limits the IP addresses that are allowed to manage the device. All other management requests are silently dropped.
set admin manager-ip <ip> <mask>
set admin manager-ip 10.1.1.30 255.255.255.255
- Per interface.
- This allows management requests to an IP address that is different from the physical IP.
set interface <interface> manage-ip <ip>
set interface ethernet0/0 manage-ip 10.1.1.5
Disable the physical interface management.
- Per interface.
- This allows managements to be accepted only for requests that are sent to the manage-ip (see above).
unset interface <interface> manageable
unset interface ethernet0/0 manageable
Disable unused services.
- Per interface.
- This permits only the defined services to respond on the interface. Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
- Recommendation: Permit secure protocols only on management/trusted interfaces (ssl, ssh).
unset interface <interface> manage
set interface <interface> manage <service>
unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh
Change default management port numbers.
set admin ssh port <1024-32767>
set admin ssh port 1024
set admin port <1024-32767>
set admin port 1025
set ssl port <1024-32767>
set ssl port 1026
set admin telnet port <1024-32767>
set admin telnet port 1027