CIS Juniper OS Benchmark v2.1.0 L1

Audit Details

Name: CIS Juniper OS Benchmark v2.1.0 L1

Updated: 1/4/2023

Authority: CIS

Plugin: Juniper

Revision: 1.7

Estimated Item Count: 120

File Details

Filename: CIS_Juniper_OS_v2.1.0_L1.audit

Size: 344 kB

MD5: ec04385576c4c41d6ffae2a0e33cca50
SHA256: 1ae9e255b17635d6334d78dc6ff03f24689275979eccea02a27dd91fb2a991fd

Audit Items

DescriptionCategories
1.1 Ensure Device is running Current Junos Software

SYSTEM AND INFORMATION INTEGRITY

1.2 Ensure End of Life JUNOS Devices are not used

CONFIGURATION MANAGEMENT

1.3 Ensure device is physically secured

ACCESS CONTROL

1.4 Ensure configuration is backed up on a regular schedule

CONTINGENCY PLANNING

1.5 Ensure backup data is stored and transferred securely

CONTINGENCY PLANNING

1.6 Ensure maximum RAM is installed

CONFIGURATION MANAGEMENT

1.7 Ensure logging data is monitored

AUDIT AND ACCOUNTABILITY

1.8 Ensure Retired JUNOS Devices are Disposed of Securely

CONFIGURATION MANAGEMENT

2.1 Ensure 'Protect RE' Firewall Filter is set for inbound traffic to the Routing Engine

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Ensure Caller ID is set

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.2 Ensure access profile is set to use CHAP

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Ensure unused interfaces are set to disable

SYSTEM AND INFORMATION INTEGRITY

3.4 Ensure interface description is set

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks)

SYSTEM AND COMMUNICATIONS PROTECTION

3.7 Ensure ICMP Redirects are set to disabled (on all untrusted IPv6 networks)

SYSTEM AND COMMUNICATIONS PROTECTION

3.9 Ensure only one loopback address is set

CONFIGURATION MANAGEMENT

4.1.1 Ensure peer authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.1.3 Ensure EBGP peers are set to use GTSM

CONFIGURATION MANAGEMENT

4.1.5 Ensure Ingress Filtering is set for EBGP peers

SYSTEM AND COMMUNICATIONS PROTECTION

4.2.1 Ensure IS-IS neighbor authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.2.3 Ensure authentication check is not suppressed

IDENTIFICATION AND AUTHENTICATION

4.2.4 Ensure loose authentication check is not configured

IDENTIFICATION AND AUTHENTICATION

4.2.5 Ensure IS-IS Hello authentication check is not suppressed

IDENTIFICATION AND AUTHENTICATION

4.2.6 Ensure PSNP authentication check is not set to suppressed

IDENTIFICATION AND AUTHENTICATION

4.2.7 Ensure CSNP authentication check is not set to suppressed

IDENTIFICATION AND AUTHENTICATION

4.3.1 Ensure OSPF authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.4.1 Ensure OSPFv3 authentication is set to IPSEC SA - ipsec-sa

IDENTIFICATION AND AUTHENTICATION

4.4.1 Ensure OSPFv3 authentication is set to IPSEC SA - md5

IDENTIFICATION AND AUTHENTICATION

4.5.1 Ensure RIP authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.5.2 Ensure RIP is set to check for zero values in reserved fields

CONFIGURATION MANAGEMENT

4.7.1 Ensure authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.8.1 Ensure authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

4.10.1 Ensure ICMP Router Discovery is disabled

SYSTEM AND INFORMATION INTEGRITY

4.11.1 Ensure authentication is set to MD5

IDENTIFICATION AND AUTHENTICATION

5.1 Ensure Common SNMP Community Strings are NOT used

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Ensure SNMPv1/2 are set to Read Only

ACCESS CONTROL

5.3 Ensure a client list is set for SNMPv1/v2 communities

SYSTEM AND COMMUNICATIONS PROTECTION

5.4 Ensure 'Default Restrict' is set in all client lists

SYSTEM AND COMMUNICATIONS PROTECTION

5.8 Ensure interface restrictions are set for SNMP

SYSTEM AND COMMUNICATIONS PROTECTION

6.1.1 Ensure Accounting Destination is configured

AUDIT AND ACCOUNTABILITY

6.1.2 Ensure Accounting of Logins

AUDIT AND ACCOUNTABILITY

6.1.3 Ensure Accounting of Configuration Changes

AUDIT AND ACCOUNTABILITY

6.2.3 Ensure NO Plain Text Archive Sites are configured

CONTINGENCY PLANNING

6.3.1 Ensure external AAA is used

ACCESS CONTROL

6.3.2 Ensure Local Accounts can ONLY be used during loss of external AAA

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

6.4.1 Ensure Authentication is configured for Diagnostic Ports

IDENTIFICATION AND AUTHENTICATION

6.4.2 Ensure Diagnostic Port Authentication uses a complex password

IDENTIFICATION AND AUTHENTICATION

6.5.3 Ensure ICMP Source-Quench is Set to Disabled

CONFIGURATION MANAGEMENT

6.5.4 Ensure TCP SYN/FIN is Set to Drop

CONFIGURATION MANAGEMENT

6.5.5 Ensure TCP RST is Set to Disabled

CONFIGURATION MANAGEMENT