6.11.4 Ensure Console Port is Set as Insecure

Information

The JUNOS Device's Console Port should be set as Insecure.

Rationale:

Administrators often use Console Port to configure the JUNOS Device when they have physical access to the device.

In high security environments or deployments where the physical security of the router is minimal, such as CPE (Customer Premises Equipment), Point of Sale (POS) or Branch Office installations, it is important to prevent both customers and intruders from accessing the Device's CLI or using the Password Recovery process using the Console Port.

Normally if an attacker is able to connect a console cable and then restart the device, it is possible to reset the root password in order to gain full control.

To prevent this, the Console Port should be set as Insecure. This option, which persists after restart, prevents login to the JUNOS Device's Console Port using the Root account. When rebooting the JUNOS Device, the Root password will be required before beginning the Password Recovery process, such as booting into Single User Mode or running the Password Recovery Utility (depending on model).

Impact:

The Console Port will not permit logins using the Root account.

On reboot, access to the Password Recovery process will require the Root password to be entered.

Solution

To set the Console Port as Insecure, issue the following command from the [edit system ports] hierarchy;

[edit system ports]
user@host#set console insecure

Default Value:

By default Root password recovery is possible from the console.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Juniper

Control ID: 2c8c4f72697f161f4451f08d14ab1f0f27fa9ae1262b5b0c408fbb40918bc97f