6.6.14 Ensure Multi-Factor is used with External AAA

Information

Multi-factor Authentication should be used for management sessions

Rationale:

Even with the password complexity restrictions and use of External AAA servers for centralized control of user Authentication, login with usernames and passwords is commonly exploited through Phishing, Brute Force or other methods.

Multi-Factor Authentication (sometimes called Two-Factor Authentication or 2FA) provides a significant additional layer of security for management sessions by requiring a username, password and some further method/s to all be provided to login.

The additional factor may use an X.509 'SSL' Certificate, a Time Based One Time Password (TOTP), a physical security token, a Fingerprint or may use some other method or even combination of these methods.

In all the cases above, the additional factor provides a significant additional challenge to an attacker looking to successfully pose as the user and compromise the network.

Multi-Factor authentication is widely supported by most External AAA services, either using paid for services like RSA SecureID or free platforms like Google Authenticator, so is included here as a general recommendation relating to AAA and login. However, because the Multi-Factor Authentication is implemented on the AAA Server, it is not possible to include an audit action or include this as a scored recommendation.

Impact:

As with any AAA service, Multi-Factor Authentication should be carefully tested and you should ensure you maintain a local password as a backup method to ensure you are not locked out of your network while implementing such a service.

Default Value:

No External AAA or Multi-Factor Authentication is used by default.

References:

https://en.wikipedia.org/wiki/Multi-factor_authentication

http://tacacs.net/mfa.asp

https://www.rsa.com/en-us/products/rsa-securid-suite

https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy

http://www.greenrocketsecurity.com/greenradius/2fa/

Additional Information:

While SMS One Time Passwords is a valid Multi-Factor Authentication method and easily/cheaply implemented, the susceptibility of SMS to interception makes this one of the least strong methods and other factors should be employed where ever possible.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5, CSCv7|16.3

Plugin: Juniper

Control ID: c2661b92a8db353b4951a4eeb026e1427ae46c9a02b348cda22b0cbd90fde020