Detections
Analytics

1.3 Ensure device is physically secured

Information

Network Devices should be physically secured.

Rationale:

As with most information assets, it is vital that an attacker is prevented from gaining physical access to your Juniper JUNOS Devices.

With physical access an attacker may bypass firewalls by re-patching systems, power off your Device or connect to Console ports.

It is possible with almost all network equipment to reset the Root password if you have physical access.

Recommendations elsewhere in this document provide some mitigation against these attacks by, for example, Encrypting Configuration files and disabling Auxiliary Ports, but preventing or detecting physical access to your network devices should still be a fundamental element of a defense in depth strategy.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

While preventing all physical access is nearly impossible in some deployment scenarios, such as for a Service Provider supplying Customer Premises Equipment (CPE), in most cases the following minimum steps should be considered:

The JUNOS Device should be deployed in a secure, locked room.

Access logs should be maintained for the room, either electronically through use of access cards or through a manual process for access to the key.

Access to the room should be limited to only those personnel absolutely required.

Use of CCTV to monitor sensitive areas and comms rooms.

The room should ideally be equipped with Uninterruptible Power Supply (UPS) and cooling facilities as well as be free from Electromagnetic Interference sources. Loss of power (either malicious or accidental) or cooling can result in a loss of service.

These methods should be a bare minimum and other physical security options considered when protecting a JUNOS Device which processes or transits sensitive data, such as Encryption Keys, Credit Card or Personally Identifiable Information which may be in scope for regulatory/industry compliance standards such as PCI DSS, GDPR or HIPAA.
In these situation Secure Hosting or Co-Location Facilities may be required and options considered for Physical Security should include:

24/7 Security Guards and Monitoring

Biometric and/or Multi Factor access control

Private Caged areas for secure equipment

Additional alarm and monitoring systems to detect equipment being removed from racks

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv7|14

Plugin: Juniper

Control ID: 2b6ba266652c69b1ab5610fa7ce83cdd7c6a6e5f58fd16859d505642994fb3e5