Security Considerations for the Juniper SSG-140

I recently added SNMP to my PRTG monitoring software, primarily for my Juniper SSG-140 firewalls. The custom MIB provided by PRTG is not very helpful, but they do have a beta sensor that is designed just for Juniper equipment that gives some excellent information about the hardware health and traffic. While looking so closely at this particular device I noticed some security concerns.

blog1

The PRTG sensor identified 2 security problems – the first being the use of sslv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS).

SSL is only being used for the web management interface on the firewall, but it is used quite frequently and once signed in to the interface one has the ability to do a lot of damage to the system. So we need to disable it. Turns out it is fairly simple, though it does need to be done on the command line, preferably via ssh.

ScreenOS:

Starting with ScreenOS 6.3.0r19, SSLv3 can be manually disabled via the ‘unset ssl ssl3’ CLI command.

 

The next  concern is the expired,  1024 bit, self-signed certificate. Now we can use a self signed certificate because the interface is only used internally on our network – in fact the ssg-140 generates the certificate at initial configuration and it works well. The problem is that it is 1024 bit. As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with readily-available processing capabilities. The cybersecurity industry is moving to adoption of SSL certificates employing at least 2048-bit encryption to help preserve internet security.

As a result, these bodies have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after Dec. 31, 2013.  So – we are way behind in this and need to address it right away. (Please bear in mind I inherited this firewall this year after nearly 8 years of neglect by my company’s IT department).

blog2

Regenerating the self-signed certificate usually involves resetting the firewall to factory and reloading the configuration, but since this is a production device we do not have the luxury of taking an outage. It can be done though:

HOW TO manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16739&actp=search#UwHDXa4pQyZadtQo.97

 

Next is the encryption level.  Here is the message from PRTG:

blog3

We don’t have a lot of choices and the ssg-140 is nearing end of life – it may not get an update that brings it to SHA-2 level, but we can at least go to 3DES-SHA-1 that puts us at 160 bit encryption.

blog4

 

 

Finally – we run through the Juniper Best Practices and see if we have everything else locked down.

Change the default username and password.

  • Username

Command:

set admin name <name>

Example:

set admin name a$df@d

  • Password

Command:

set admin password <plain-text password>

Example:

set admin password abcdefgh123

Disable root user login except by direct console

  • Device-wide
  • This limits the root user to only be able to log in via the console port of the device.  All other users can log in to configured services.

Command:

set admin root access console

Enable manager-ip.

  • Device-wide.
  • This limits the IP addresses that are allowed to manage the device. All other management requests are silently dropped.

Command:

set admin manager-ip <ip> <mask>

Example:

set admin manager-ip 10.1.1.30 255.255.255.255
Enable manage-ip.

  • Per interface.
  • This allows management requests to an IP address that is different from the physical IP.

Command:

set interface <interface> manage-ip <ip>

Example:

set interface ethernet0/0 manage-ip 10.1.1.5


Disable the physical interface management.

  • Per interface.
  • This allows managements to be accepted only for requests that are sent to the manage-ip (see above).

Command:

unset interface <interface> manageable

Example:

unset interface ethernet0/0 manageable


Disable unused services.

  • Per interface.
  • This permits only the defined services to respond on the interface. Services: ident-reset, mtrace, ping, snmp, ssh, ssl, telnet, web.
  • Recommendation: Permit secure protocols only on management/trusted interfaces (ssl, ssh).

Command:

unset interface <interface> manage
set interface <interface> manage <service>

Example:

unset interface ethernet0/0 manage
set interface ethernet0/0 manage ssh


Change default management port numbers.

  • Device-wide.
  • SSH:

Command:

set admin ssh port <1024-32767>

Example:

set admin ssh port 1024

  • HTTP:

Command:

set admin port <1024-32767>

Example:

set admin port 1025

  • HTTPS:

Command:

set ssl port <1024-32767>

Example:

set ssl port 1026

  • Telnet:

Command:

set admin telnet port <1024-32767>

Example:

set admin telnet port 1027

 

I just got the below from Amazon. Change

I just got the below from Amazon. Changed all my major passwords – especially financials. I have been using LastPass password manager for the last month or so – has its quirks, but allows me to use and store passwords up to 64 characters. Please use strong passwords.
security-update@amazon.com
To bosteter@yahoo.com Apr 23 at 2:42 PM
Hello,
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution. http://ow.ly/4n26ZU

I just got the below from Amazon. Change

I just got the below from Amazon. Changed all my major passwords – especially financials. I have been using LastPass password manager for the last month or so – has its quirks, but allows me to use and store passwords up to 64 characters. Please use strong passwords.
security-update@amazon.com
To bosteter@yahoo.com Apr 23 at 2:42 PM
Hello,
At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.

While I am at it – here is another utili

While I am at it – here is another utility I will never be without again. I build entire pages of technical documentation using this. I can copy multiple things to the clipboard and dump them back out onto Word doc or any app – keeps a list of ALL of my clips that is reusable. Do remember to clear it if you clip confidential things – like passwords, etc. http://ow.ly/10pnme