3.1.1 Ensure Caller ID is set

Information

Caller restrictions MUST be used when Incoming calls are permitted.

Rationale:

Some JUNOS routers support the use of a dial in modem connection for Telnet/SSH administration of the router from a remote connection over the telephone network.

This can provide a useful out of band management channel, allowing access to a customer router at a remote site when the primary circuit has failed for example, but also creates a new route for attack, allowing a malicious user to bypass firewalls and other defenses.

Even when the phone number for the modem is kept secret, attackers may still discover it through war dialing, possibly narrowing targets by researching the number ranges used by your organization.

To limit the scope for such an attack, the dialer interface should be configured to check the incoming Caller ID for connection attempts, only allowing the connection to proceed when the caller is on a pre-configured list of approved numbers.

Solution

If you have configured a dialer interface to accept incoming calls, you should restrict the allowable Caller ID by entering the following command under the [edit interfaces dln unit 0 dialer-options] hierarchy (where n is the dialer interface number);

[edit interfaces dln unit 0 dialer-options]
user@host#set incoming-map caller <Approved CallerID Number>

Up to 15 caller numbers may be configured on a dialer interface, repeat the command above for each number you wish to add.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: ae16bff76e47151adc833512557ec3cd621babbc7fd1c5cf790ee1695b49054b