3.1.2 Ensure access profile is set to use CHAP

Information

CHAP Authentication MUST be used when Incoming calls are permitted.

Rationale:

Some JUNOS routers support the use of a dial in modem connection for Telnet/SSH administration of the router from a remote connection over the telephone network.

This can provide a useful out of band management channel, allowing access to a customer router at a remote site when the primary circuit has failed for example, but also creates a new route for attack, allowing a malicious user to bypass firewalls and other defenses.

Even when the phone number for the modem is kept secret, attackers may still discover it through war dialing, possibly narrowing targets by researching the number ranges used by your organization.

To limit the scope for such an attack, the dialer interface should be configured to use Challenge Handshake Authentication Protocol (CHAP) before allowing calls to connect. Using CHAP, a username and password can be configured for each user that needs to connect to the router via the modem. The password should not be the same as that used by to login to the routers CLI itself.

Solution

If you have configured a dialer interface to accept incoming calls, you should configure CHAPS authentication using the following commands from the indicated hierarchy (where n is the interface number);

[edit access]
user@host#set profile <profile name> client <username> chap-secret <password>

user@host#top
user@host#edit interface dl <n> unit 0

[edit interfaces dl <n> unit 0]
user@host#set ppp-options chap access-profile <profile name>

Repeat the first command for each user that is required.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: 09a9ce6bd617ff6ef85c518e3f779a59f19ed4b6ca41c49e5f5c3a109004e9b6