In the last few years, routers have increasingly become targets of malicious hackers attempting to launch distributed denial-of-service ( DDoS) and other attacks across the Internet. Having control of a router, especially one with high-speed links, provides an even greater opportunity for mischief than just controlling PCs. A hacker in control of your router can reconfigure the system and take over your entire autonomous system (AS). Hackers are often able to log in to and take over routers simply because of negligence on the part of a router administrator who doesn't implement basic security precautions, such as setting a password for the root account, or who uses a password that can easily be discovered, such as juniper, cisco, root, or admin. Given the increasing number of malicious attacks occurring on the Internet, it is vital for you to secure your router.
This chapter talks about how to configure router access, including setting up login accounts, and other basic security measures you should take to control access to the router and to protect your router from undesired access.
There is nothing complicated about what you need to do to protect your router. Basic router security consists of three components. Two of theselimiting physical access to your router and configuring the JUNOS software to minimize the vulnerability of your routerare under your control. Properly configuring the router to be as secure as possible, while at the same time ensuring that you don't misconfigure the router to increase its vulnerability to attack, is often called hardening the configuration. The third component of security is some of the default behaviors of the JUNOS software that help protect the router.
To limit physical access to your router, we strongly recommend keeping your router in an area that has restricted access, such as a room that is locked or has badge access, and then limiting the number of people who have access to that area. Anyone who can physically get to a router can do a lot of damage, from removing hardware or cables from the router to connecting a PC to the router's console port, which lets them gain access to the router as root and gives full access to and control of the router's configuration and files. You should also never leave a modem connected to the router's console port to ensure that no one can gain access this way.
In the basic router configuration that you set up (described in Recipe 1.1), the following default software behaviors are in place to protect the security of your router:
A key to router security is controlling who can log in to the router and what they can do once they are logged in. For each user who is allowed to work on the router, you should create a login account that defines the user's login name and password and the class of operations that they can perform on the router.
Strategies for Choosing Passwords
Passwords for the root account and for user accounts are often the weakest links in router security. For root and for any user who can log in to the router, you should always set a password, and the password you choose should be a strong password, one that is hard to crack, not a weak one. You want to make it impossible for a person with malicious intentions to gain login access to your router, especially as root or any user who has root permission or who has permission to modify the router's configuration or any files on the router, or to shut down or reboot the router.
All JUNOS passwords are encrypted, but this means only that the password stored on the router or in a configuration file is stored in an encrypted form. Someone reading the configuration on the router won't be able to see the plain-text password, and if you copy the file over the network and someone sniffs the session, they won't see the passwords in the file. Even though the passwords are encrypted in the configuration, you should take care not to let them circulate. It's still possible to use programs such as crack to guess clear-text passwords, encrypt them, and compare them to a list of encrypted strings (although this is not the case with, for example, SSH public keys). For this reason, you always need to use strong passwords and prevent even encrypted versions of your passwords from falling into the wrong hands.
To understand what a strong password is, we should look first at what constitutes a weak password. It should go without saying, but bears repeating anyway, that the weakest password is no password at all. A number of groups that monitor network security still find routers that have no passwords set on them. Other weak passwords are those that are easy to guess and include common words such as the name of your router vendor (such as juniper), the string admin, using the username as the password (for example, username root, password root, or admin/admin), and using the string password or Password. Other guessable passwords are words or strings like your birthday, spouse's name, or the name of any person. Weak passwords are also those that are vulnerable to brute-force attacks, in which an automated program tries a large number of possible passwords, and to dictionary attacks, which are automated programs that try all words in a dictionary in an attempt to crack an account's password. Keep in mind that dictionaries for all languages are now available on the Internet, as are dictionaries specific to technical and other fields, so all words that might be present in them are weak passwords, even derivations that substitute numbers for letters.
A strong password is everything a weak password is not, and then some. It should include numbers, symbols, and a mix of uppercase and lowercase characters. Other suggestions are to pick a couple of letters from a phrase you know well or to pick some unrelated words and connect them into a single string with punctuation marks or other symbols. Remember that a strong password is a good password only if you can remember it without writing it down.
Each user must have a login account and password to be able to log in to the router. The JUNOS software supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+). With local password authentication, you set a password for each user in the router's configuration file. RADIUS and TACACS+ are centralized authentication databases for validating users who attempt to access the router using any access method. They are both distributed client/server systemsthe RADIUS and TACACS+ clients run on the router, and the server runs on a remote network system.
You can configure the router to be both a RADIUS and TACACS+ client and can also configure authentication passwords in the JUNOS configuration file. If you use multiple authentication methods, you can set the order in which the router tries the different authentication methods when verifying user access. If you do not set the order, the router uses the local password first.
All passwords that you enter in a JUNOS configuration are encrypted. The JUNOS software supports several methods for securing passwords using encryption and hashing algorithms (encryption is a one-to-one mapping, so it's possible to decrypt, while hashing is a many-to-many mapping, so it's impossible to unhash):
Secure Hash Algorithm 1 is the newest algorithm, developed in 1995. It is a secure hashing algorithm that produces a 160-bit message digest that is used as a signature for a message and that must be verified by the recipient. SHA1 is considered secure because it is computationally infeasible to find a message that corresponds to a given message digest or to find two different messages that produce the same message digest. Any change to a message in transit results in a different message digest, so the signature fails to verify. However, SHA1 has recently been proven not to be as strong as originally thought.
Message Digest 5, developed in 1991, is a message-hashing algorithm that takes a message of arbitrary length and produces a 128-bit hash function. When developed, it was thought to be computationally infeasible to produce two messages with the same message digest. The use of MD5 has recently been deprecated by the U.S. Department of Defense.
Data Encryption Standard, an encryption algorithm developed in 1976, uses a 56-bit key. Many people never thought DES was very strong in the first place.
Secure shell, Version 1 ( RSA) and Version 2 ( DSA), is a security protocol that was originally developed with the Unix BSD software.
Even when you configure a plain-text password, the JUNOS software encrypts it immediately after you type it. Also, the software forces you to use a somewhat strong password, because the password must be at least six characters long and must include either a change of case or a special character.
Router Configuration and File Management
Basic Router Security and Access Control
Routing Policy and Firewall Filters