CIS Juniper OS Benchmark v2.1.0 L2

Audit Details

Name: CIS Juniper OS Benchmark v2.1.0 L2

Updated: 7/3/2023

Authority: CIS

Plugin: Juniper

Revision: 1.8

Estimated Item Count: 63

File Details

Filename: CIS_Juniper_OS_v2.1.0_L2.audit

Size: 275 kB

MD5: 4a1765b81b9e21784abc3b9414e78ae7
SHA256: ea55b1ab4bbfec0116bf85be62312b0b50a45c742f83b402be3b67abfb26479c

Audit Items

DescriptionCategories
2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management Services

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services terms

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Protocols

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure firewall filters contain explicit deny and log term

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure firewall filters contain explicit deny and log term

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure internal sources are blocked on external networks

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

3.1.3 Forbid Dial in Access

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

3.2.1 Ensure VRRP authentication-key is set

CONFIGURATION MANAGEMENT

3.2.2 Ensure authentication-type is set to MD5

IDENTIFICATION AND AUTHENTICATION

3.5 Ensure proxy-arp is disabled

SYSTEM AND COMMUNICATIONS PROTECTION

3.8 Ensure Loopback interface address is set

CONFIGURATION MANAGEMENT

3.10 Ensure inbound firewall filter is set for Loopback interface

CONFIGURATION MANAGEMENT

4.1.2 Ensure peer authentication is set to IPSEC SA

IDENTIFICATION AND AUTHENTICATION

4.1.4 Ensure Bogon Filtering is set (where EBGP is used)

SYSTEM AND COMMUNICATIONS PROTECTION

4.1.6 Ensure RPKI is set for Origin Validation of EBGP peers

SYSTEM AND COMMUNICATIONS PROTECTION

4.2.2 Ensure IS-IS neighbor authentication is set to SHA1

IDENTIFICATION AND AUTHENTICATION

4.3.2 Ensure OSPF authentication is set to IPSEC SA with SHA

IDENTIFICATION AND AUTHENTICATION

4.6.1 Ensure BFD Authentication is Set

CONFIGURATION MANAGEMENT

4.6.2 Ensure BFD Authentication is Not Set to Loose-Check

CONFIGURATION MANAGEMENT

4.7.2 Ensure authentication is set to AES-CMAC

IDENTIFICATION AND AUTHENTICATION

4.9.1 Ensure Secure Neighbor Discovery is configured

IDENTIFICATION AND AUTHENTICATION

4.12.1 Ensure LLDP is Disabled if not Required

CONFIGURATION MANAGEMENT

4.12.2 Ensure LLDP-MED is Disabled if not Required

CONFIGURATION MANAGEMENT

5.5 Ensure SNMP Write Access is not set

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

5.6 Ensure AES128 is set for all SNMPv3 users

SYSTEM AND COMMUNICATIONS PROTECTION

5.7 Ensure SHA1 is set for SNMPv3 authentication

IDENTIFICATION AND AUTHENTICATION

5.9 Ensure SNMP is set to OOB management only

SYSTEM AND COMMUNICATIONS PROTECTION

6.1.4 Recommend Accounting of Interactive Commands (where External AAA is used)

AUDIT AND ACCOUNTABILITY

6.2.1 Ensure Archive on Commit

CONTINGENCY PLANNING

6.2.2 Ensure at least one SCP Archive Site is configured

CONTINGENCY PLANNING

6.5.1 Ensure ICMPv4 rate-limit is Set

CONFIGURATION MANAGEMENT

6.5.2 Ensure ICMPv6 rate-limit is Set

CONFIGURATION MANAGEMENT

6.6.7 Ensure Remote Login Class for Authorization through External AAA - login class

IDENTIFICATION AND AUTHENTICATION

6.6.7 Ensure Remote Login Class for Authorization through External AAA - remote class

IDENTIFICATION AND AUTHENTICATION

6.6.14 Ensure Multi-Factor is used with External AAA

IDENTIFICATION AND AUTHENTICATION

6.7.2 Ensure Multiple External NTP Servers are set

AUDIT AND ACCOUNTABILITY

6.7.3 Ensure NTP Boot-Server is set

AUDIT AND ACCOUNTABILITY

6.7.5 Ensure Authentication Keys are used for all NTP Servers

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

6.7.6 Ensure Different Authentication Keys for each NTP Server

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

6.7.7 Ensure Strong Authentication Methods are used for NTP Authentication

AUDIT AND ACCOUNTABILITY

6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - ciphers restriction

IDENTIFICATION AND AUTHENTICATION

6.10.1.7 Ensure Only Suite B Ciphers are set for SSH - weak ciphers

IDENTIFICATION AND AUTHENTICATION

6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - key-exchange restriction

IDENTIFICATION AND AUTHENTICATION

6.10.1.10 Ensure Only Suite B Key Exchange Methods are set for SSH - weak key-exchange

IDENTIFICATION AND AUTHENTICATION

6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - DSA keys

IDENTIFICATION AND AUTHENTICATION

6.10.1.12 Ensure Only Suite B Based Key Signing Algorithms are set for SSH - ECDSA Key

IDENTIFICATION AND AUTHENTICATION

6.10.1.13 Ensure SSH Key Authentication is Disabled

IDENTIFICATION AND AUTHENTICATION

6.10.2.3 Ensure Web-Management is Set to use PKI Certificate for HTTPS

IDENTIFICATION AND AUTHENTICATION

6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB Management

SYSTEM AND COMMUNICATIONS PROTECTION

6.10.3.2 Ensure XNM-SSL Connection Limit is Set

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION