1.2 Ensure End of Life JUNOS Devices are not used

Information

EoL JUNOS Devices should never be used in production networks

Rationale:

As with most vendors, Juniper Networks only support individual versions of Software and Hardware for a certain period of time in order to allow resources to be spent developing new products, rather than supporting old ones and because new features and technologies may not be supportable on older hardware.

Juniper will announce that support for a device, software version or platform is being discontinued by issuing an End of Life Notice for the product being retired. A typical EOL Notice will include details of:

Notification Date - The official date that the EOLN was issued, all other timings are based on this date.

LOD - the Last Order Date for the product - typically this is 180 days after the EOLN. After LOD, no new support services or contracts for the product can be purchased.

LSV - the Last Software Version which will be supported for the product

EOSE - the End of Software Engineering. After this date Juniper will not offer new bug fixes or software patches for the product. Typically this is 3 years after the EOLN.

LRD - the Last Renewal Date. After this date, existing support contracts and services for the platform can no longer be renewed. Typically this is 4 years after the EOLN.

EOS - the End of Support. Juniper will no longer provide any support or replacements for the platform. Typically this is 5 years after the EOLN.

Once a device has reached EOSE state, Juniper may no longer offer any patches, bug fixes or fixes for security vulnerabilities. This makes the device essentially unsupportable in a production environment, as any serious vulnerability discovered could not be patched.

It may not be practical in most cases to provide a work around without impacting services and it is rarely possible to instantly retire or replace affected platforms in response to a newly discovered vulnerability. This would leave networks vulnerable with no prospect of a timely fix.

You can confirm the current support status of your device by going to the Juniper Serial Number Entitlement Tool and entering the device Serial Number/s. Note, you may need to add columns to the default output to display EoL and EoS status.

You can also search End of Life Notices by platform or software version from the Juniper End of Life Products & Milestones page

Impact:

EOL Devices of any type present a significant risk to the security of the network.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Administrators should plan to retire all JUNOS Devices before they reach EOS/EOSE

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), CSCv7|2.2

Plugin: Juniper

Control ID: 97b0cb1dad38065a43be087d8b996cfb317dc9cb5d3b7b50473a39adab3db0bd