Security: From JUNOS

  • Three security principles:
    • Integrity: The network resources are operating as expected and have not been compromised. Also provides for the security of transmitted packets across the network.
    • Availability: Authorized network personnel should have reliable and timely access to data packets and network routers.
    • Confidentiality: Ability to guarantee that only authorized individuals is granted access to network resources. Also, unauthorized individuals are not granted access to resources.
  • Systematic security:
    • First step to create a security policy. Not too strict and too loose.
    • Planning for its deployment and then Actual implementation.
    • Network engineer should be up to date on new network exploits and attack.
  • User authentication:
    • JUNOS allows authentication via local password database, RADIUS or TACACS server.
    • We can set the order of authentication check using ‘set system authentication-order [radius tacplus password]’ command.
    • For above example, user is authenticated via radius server first. If it succeeds, users are allowed to access and no more check. If it fails/no response, router check the user credential with tacacs server. If fails/no response, contact local database. If fails, user is not allowed to access.
    • With ‘authentication-order [radius tacplus]’ command, if there is no response from both radius and tacacs, a final check is done with local database though not configured. This ensures router can be accessed during network outage.
    • Router also needs to have user template configured in the chassis though authenticated via radius/tacacs for the purpose of assigning rights and privileges.
    • If a user is authenticated via radius/tacacs, but the username is not available in database, router assigns the user to default username of ‘remote’

RADIUS: Remote Authentication Dial-In User Service

  • Router act as client and contact radius server to authenticate user credentials.
  • Uses UDP addressed to port number: 1812
  • Shared secret password is used between server and client.
  • Configured as ‘set system radius server x.x.x.x secret <password>’. Can configure more than one radius server.
  • When user enters username/password, the router sends this information to first configured server and waits for 3 seconds (default time-out) and retry 3 times (default retry). If still no response, second configured server will be contacted.
  • Can modify default settings using ‘set system radius server retry/timeout xx’ command.
  • Three messages types are available: access-request, access-accept, access-reject messages.
  • Command Radius header:
    • Code -1 octet- set to 0x01
    • Identifier: To match requests to and replies from server. Incremented by 1 for each message
    • Length – 2 octets – Length of entire radius message.
  • Access-request message:
    • Sent from router to server with attributes like router identifier, username and password.
    • Response authenticator – 16 octets – Random number generated by router. Used to compute hash by server and send it in its reply. Router can then authenticate the reply.
    • Username, password and NAS-identifier (router hostname) are sent in TLV format.
  • Access-accept message:
    • Sent by server to router to denote user supplied valid username/password and allow access.
    • Response authenticator – 16 octets – MD5 hash value generated using all fields from access-request message and shared key.
    • Response is sent in TLV format with value = 1 to denote, user is authenticated.
    • In addition to above TLV, Juniper specific TLV can be sent with Type = 26 and value set to juniper vendor value = 2636. The sub-TLVs contains other attributes like;
      • ‘Juniper-local-user-name’: to override the default user template matching local username. Multiple separate users can be assigned rights of single local account.
      • ‘juniper-allow-commands’: by default, users’ set of operational commands is controlled by the class of local user template. This TLV extend that list.
      • Similarly: ‘juniper-deny-commands’/ ‘juniper-configure-deny-commands’
  • Access-reject message:
    • Server may send this message to router to denote either the username is not in database or user entered wrong password.
    • Response authenticator is available to authenticate this reject message.

TACACS+ : Terminal Access Controller Access Control System

  • Tacacs packets are sent using TCP addressed to port 49.
  • Configured as ‘set system tacplus-server x.x.x.x secret <password>’
  • When user enters username/password, the router contacts the server and waits for a response. If no reply from server for configure ‘timeout’ value which is 3 seconds by default, next server is contacted. If the reply is deny/no response, next authentication method is checked.
  • By default, tacacs+ opens and uses a separate TCP session for each attempt. ‘single-connection’ command can be configured to save router resources. Router uses single connection to authenticate all users. Three message types available are Start, reply, continue.
  • Command tacacs message header:
    • Major/Minor version – 1 octet –  set to 0x0c00
    • Type – 1 octet – Type of tacacs packet in message. Set to 0x01 for authentication request, 0x02 for authorization and 0x03 for accounting.
    • Sequence number – 1 octet – set to 1 when session is established and incremented.
    • Flags – 1 octet – contains two flags:
      • Unencrypted flag – set to 1 when packet is unencrypted. Set to 0 when MD5 is used. By default, JUNOS uses MD5 using shared password.
      • Single connection flag–set to 1 when router uses single connection for all user check
    • Session ID – 4 octets – Random number used to match request and reply.
    • Length – 4 octets – displays the length of remaining fields.
  • Start message:
    • When user enters the username, the router sends the name to server using ‘start’ message. Login username along with local IP address (for server to know router) are sent.
  • Continue message:
    • When server prompted router to gather password from user, the router will send the password in ‘continue’ message.
  • Reply message:
    • When router sends the username to server, it replies with ‘reply’ message asking for password. When the router sends the password in ‘continue’ message, the server sends the end result whether the allow/deny access in another ‘reply’ message to router.
    • The reply message has ‘status’ field which is set to;
      • 0x01 for pass response
      • 0x02 for fail response
      • 0x05 for request for password
    • Another field named ‘data’ allows vendor specific extensions to be used. Some are ‘local-user-name’, ‘allow-commands’, deny-commands’, ‘allow-configuration’, ‘deny-configuration

Controlling Network attacks:

  • Spoofed packets – changing information in IP header. Typically IP source address.
  • Using firewall filters:
    • A firewall can be created to allow only from the known source-address and to count and deny other packets.
    • Need to configure by static and burden on network admin to configure all over network.
  • Using Unicast Reverse Path Forwarding: (uRPF)
    • Same concept as used in multicast RPF check. When incoming packet has a source address that is not reachable on that interface by local router, the packets are dropped.
    • Configured using ‘set interface em0 unit 0 family inet rpf-check
    • RFP failure packet counts can be viewed using ‘show interface detail’ command.
    • Above RPF check is done based on ‘active’ routes in the forwarding table. Under some scenario, like peering session between AS networks, this might not be desired.
    • To do RPF check based on all feasible routes in forwarding table, configure ‘set feasible-paths’ under [edit routing-options forwarding-table unicast-reverse-path] mode.
  • JUNOS software performs uRPF check before any configured input firewall filters.

 

Advertisements
This entry was posted in jncis, Junos and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s