1.4 Ensure configuration is backed up on a regular schedule


Regular backups should be made of the router.


Backups of a routers configuration may be necessary when recovering from physical hardware failure, administrative errors or a successful attack. Preserving the evidence of an attack may also be necessary for regulatory compliance, forensic investigation or prosecution of the attacker.

By default, JUNOS routers save a local backup copy of your configuration every time you commit (save) a change. JUNOS maintains the 50 previous configuration files, 4 on the Routing Engines Flash drive and the remainder on the hard disk.

This provides a useful method to recover from many types of fault or error, however an attacker will, potentially, be in a position to compromise these backups along with the active configuration, so it is vital that you also keep a remote configuration backup beyond the attackers reach.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


A discussion of all possible backup methods is beyond the scope of this Benchmark.
Consider the Archival section of this Benchmark for one method of obtaining remote backups whenever your configuration is changed.
CVS tools such as RANCID provide an alternative method to backup and manage configuration files from a central location as well as keeping track of changes over time.
Also consider a method of maintaining offline copies of your backup data, such as tape storage. This provides a vital tool in Disaster Recovery and is also extremely helpful when recovering from a successful attack, as you can be certain that the attacker was unable to alter the offline version.

See Also


Item Details


References: 800-53|CP-9, CSCv7|10.1

Plugin: Juniper

Control ID: 76af60216b69c53a086ff8ceaa94552b38f4f6a0ac74936565dda437dd0e37c5