3.1.3 Forbid Dial in Access

Information

Dial in access should not be used on sensitive routers.

Rationale:

Some JUNOS routers support the use of a dial in modem connection for Telnet/SSH administration of the router from a remote connection over the telephone network.

This can provide a useful out of band management channel, allowing access to a customer router at a remote site when the primary circuit has failed for example, but also creates a new route for attack, allowing a malicious user to bypass firewalls and other defenses.

Even when the phone number for the modem is kept secret, attackers may still discover it through war dialing, possibly narrowing targets by researching the number ranges used by your organization.

For sensitive routers, such as those in a PCI DSS Cardholder Data Environment, the protective measures available for dial in access are insufficient and no dial in access should be used. If not required for other services the modem should be physically removed from the router.

Solution

If you have configured a dialer interface to accept incoming calls, you should disable it using the following commands from the [edit interfaces] hierarchy (where n indicates the interface number);

[edit interfaces]
user@host#delete interface dl <n>

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|IA-2(1), 800-53|SI-4, CSCv7|9.2, CSCv7|11.5

Plugin: Juniper

Control ID: f24e4cf776edff76e138e57622981fc479d84382613b10095be60f216d125d6e