| 1.1 Ensure Device is running Current Junos Software | SYSTEM AND INFORMATION INTEGRITY |
| 1.2 Ensure End of Life JUNOS Devices are not used | CONFIGURATION MANAGEMENT |
| 1.3 Ensure device is physically secured | ACCESS CONTROL |
| 1.4 Ensure configuration is backed up on a regular schedule | CONTINGENCY PLANNING |
| 1.5 Ensure backup data is stored and transferred securely | CONTINGENCY PLANNING |
| 1.6 Ensure maximum RAM is installed | CONFIGURATION MANAGEMENT |
| 1.7 Ensure logging data is monitored | AUDIT AND ACCOUNTABILITY |
| 1.8 Ensure Retired JUNOS Devices are Disposed of Securely | CONFIGURATION MANAGEMENT |
| 2.1 Ensure 'Protect RE' Firewall Filter is set for inbound traffic to the Routing Engine | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Ensure Caller ID is set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.2 Ensure access profile is set to use CHAP | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure unused interfaces are set to disable | SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure interface description is set | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT |
| 3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure ICMP Redirects are set to disabled (on all untrusted IPv6 networks) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure only one loopback address is set | CONFIGURATION MANAGEMENT |
| 4.1.1 Ensure peer authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.1.3 Ensure EBGP peers are set to use GTSM | CONFIGURATION MANAGEMENT |
| 4.1.5 Ensure Ingress Filtering is set for EBGP peers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.1 Ensure IS-IS neighbor authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.2.3 Ensure authentication check is not suppressed | IDENTIFICATION AND AUTHENTICATION |
| 4.2.4 Ensure loose authentication check is not configured | IDENTIFICATION AND AUTHENTICATION |
| 4.2.5 Ensure IS-IS Hello authentication check is not suppressed | IDENTIFICATION AND AUTHENTICATION |
| 4.2.6 Ensure PSNP authentication check is not set to suppressed | IDENTIFICATION AND AUTHENTICATION |
| 4.2.7 Ensure CSNP authentication check is not set to suppressed | IDENTIFICATION AND AUTHENTICATION |
| 4.3.1 Ensure OSPF authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.4.1 Ensure OSPFv3 authentication is set to IPSEC SA - ipsec-sa | IDENTIFICATION AND AUTHENTICATION |
| 4.4.1 Ensure OSPFv3 authentication is set to IPSEC SA - md5 | IDENTIFICATION AND AUTHENTICATION |
| 4.5.1 Ensure RIP authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.5.2 Ensure RIP is set to check for zero values in reserved fields | CONFIGURATION MANAGEMENT |
| 4.7.1 Ensure authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.8.1 Ensure authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 4.10.1 Ensure ICMP Router Discovery is disabled | SYSTEM AND INFORMATION INTEGRITY |
| 4.11.1 Ensure authentication is set to MD5 | IDENTIFICATION AND AUTHENTICATION |
| 5.1 Ensure Common SNMP Community Strings are NOT used | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2 Ensure SNMPv1/2 are set to Read Only | ACCESS CONTROL |
| 5.3 Ensure a client list is set for SNMPv1/v2 communities | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure 'Default Restrict' is set in all client lists | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.8 Ensure interface restrictions are set for SNMP | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1 Ensure Accounting Destination is configured | AUDIT AND ACCOUNTABILITY |
| 6.1.2 Ensure Accounting of Logins | AUDIT AND ACCOUNTABILITY |
| 6.1.3 Ensure Accounting of Configuration Changes | AUDIT AND ACCOUNTABILITY |
| 6.2.3 Ensure NO Plain Text Archive Sites are configured | CONTINGENCY PLANNING |
| 6.3.1 Ensure external AAA is used | ACCESS CONTROL |
| 6.3.2 Ensure Local Accounts can ONLY be used during loss of external AAA | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.4.1 Ensure Authentication is configured for Diagnostic Ports | IDENTIFICATION AND AUTHENTICATION |
| 6.4.2 Ensure Diagnostic Port Authentication uses a complex password | IDENTIFICATION AND AUTHENTICATION |
| 6.5.3 Ensure ICMP Source-Quench is Set to Disabled | CONFIGURATION MANAGEMENT |
| 6.5.4 Ensure TCP SYN/FIN is Set to Drop | CONFIGURATION MANAGEMENT |
| 6.5.5 Ensure TCP RST is Set to Disabled | CONFIGURATION MANAGEMENT |
