Solved

Hardening ScreenOS

Posted on 2016-10-18
8
68 Views
Last Modified: 2016-10-28
Hello to All of you ,
my supervisor has assigned a new task: write an hardening guide for the operating System ScreenOs installed on Netscreen firewall.

I'm totally new to netscreen and I would like to ask you if you could provide me some link to start with, then , if it's fine for you I can share the document and we could review it.

Can it be a good way to proceed ?
thank you
Carlo
0
Comment
Question by:carlettus
  • 5
  • 3
8 Comments
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 41849637
Hardening means to reduce the attacker surface. That is, you switch off "unsecure" configuration means like HTTP and Telnet, and allow SSH and HTTPS only. Plus use a secure admin password. And allowing configuration access only from LAN, of course (on the corresponding interface).

The other task is to make the firewall as closed as possible against access from Internet. By default nothing is allowed to pass from WAN to LAN, but you also need to enable different screening features on the corresponding interface. Screening checks for typical attacks like port scans, and blocks access temporarily if detected to prevent further attacks or investigations. Background is that you can get a profile of the firewall OS by the replies to attack packets, and that again allows to craft a more dedicated attack. Screening can help to not allow for a profile.
0
 

Author Comment

by:carlettus
ID: 41850305
Hello and thank you for your message.
I was looking something specific related to Netscreen ScreenOs , this looks a good start
https://shafiqissani.files.wordpress.com/2012/12/juniper-device-hardening-1.pdf

I'll write down the document and post for your considerations.
Thank you
Carlo
0
 

Author Comment

by:carlettus
ID: 41859862
hello,
these are some topics I'm writing down for hardening netscreen firewall and ScreenOs
Can you confirm all it's correct?
Thank you

1) AUXILIARY port

The AUX port access to the firewall is possible only via a modem and by default, this setting is off on the firewall for security reasons.
To enable this functionality, enable
ns->set int ser0/0 modem dial-in enable.

Open in new window


2)Disable Telnet
In order to disable telnet you need to perform the following actions.
ns-> unset interface <zone_name> manage telnet

Open in new window


3) Reduce console  timeout
You can also modify the console timeout option via the CLI by typing set console timeout 5. Note that a timeout value of 0 will disable the timeout feature. Use the get console command to verify the change
ns-> set console timeout 5
ns-> get console 

Open in new window


Output of get console to confirm the change

Console timeout: 5(minute), Page size: 22/22, debug: buffer
privilege 250, config was changed and not saved!
ID State Duration Task Type Host
0 Login 660 13433716 Telnet 10.254.5.32:49401
1 Logout 0 13435768 Local
2 Logout 0 13424824 Local
3 Logout 0 13410460 Local

Open in new window


3) Convert SSH V1 to SSH V2 and Enable SSH
If ssh v1 was initially configured on the firewall, then all SSH keys from version 1 must be deleted. “delete ssh device all”

ns-> set ssh disabled 
ns-> delete ssh device all

Open in new window


Output netscreen
   .
    SSH disabled for vsys: 1

    PKA keys deleted from device: 0
    .
    Host keys deleted from device: 1

Open in new window


Execute the 'set ssh version v2' command to activate SSH v2 for the device.
Example:
   
ns-> set ssh version v2

Open in new window

   SSH version 2 has been activated.
Then, enable SSH:
   
ns-> set ssh enable

Open in new window

View the SSH configurations settings with the command 'get ssh'.  Note that it should report it is 'active' and 'enabled':
ns-> get ssh
SSH V2 is active
SSH is enabled
SSH is ready for connections
Maximum sessions: 3
Active sessions: 1

Open in new window

0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 41860873
1) is wrong. You want to do exactly the opposite - disable AUX.
2) it is <interface_name>, not <zone_name>

I would add force redirecting HTTP to HTTPS
And how about disabling HTTP (resp. force redirect to HTTPS)?
set admin http redirect
set ssl enable

Open in new window

but that also requires that you use and assign at least a self-signed certifcate, which is best done via WebUI.

And how about only enabling access on the Trust interface (no Internet config access)?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:carlettus
ID: 41861656
great Qlemo ...
I'm still working on it and today i'll post the rest .
Thank you this is what I really need .
Ciao from Italy
Carlo
0
 

Assisted Solution

by:carlettus
carlettus earned 0 total points
ID: 41862255
Hello,
thank you again . Here are some other points I want to point out.
Can you please confirm that the snmp configuration is correct ?
Thank you
Carlo

4) Limit system access to your firewall

The firewall administrator should limit which IP addresses are authorized to perform management services on the OS.
To add a permitted IP address via the CLI the command to use is [set admin manager-ip]
Example:

ns->set admin manager-ip 192.168.1.2

Open in new window


5) Secure root account

The root admin account is the most privileged account. It can
create and delete other admin accounts, virtual systems and modify certain
aspects of virtual systems.This account can only be stored locally on the firewall,
and there must be at least one root admin.
 
All ScreenOS devices ship with the default username netscreen and the default password netscreen for the root level account. It’s important to change both username and password for root admin account.

ns-> set admin name admin-string
ns-> set admin password password-string

Open in new window


It is recommended to create a read-write administrator (super) to use for regular maintenance.
If that administrator is compromised, there will be no direct root access to the device.

ns-> set admin user super password password-string privilege all
ns-> set admin auth server local

Open in new window


It is recommended to create a read-only administrator (ro-admin). This administrator can only view the configuration and some debugging features are restricted.

ns-> set admin user ro-admin password password-string privilege "read-only"
ns-> set admin auth server local

Open in new window


6) Backup configuration

Save the existing configuration to an TFTP server with the command:
ns-> save config to tftp <tftp_server_ip> <config_filename>

Open in new window


7) Snmp implementation ad enforcement

Juniper Networks security devices support SNMPv1, SNMPv2c by default. Security devices are not shipped with a default configuration for SNMPv3, it’s important to configure SNMPV3 in order to implement authentication and encryption not present in the previous versions.

In order to configure the community name and assign privileges type of read-only :
ns-> set snmp community adminro read-only version v3

Open in new window


Configure a SNMP host that will be allowed to access the Juniper firewall device using the community adminro type:

ns-> set snmp host adminro 192.168.1.100 255.255.255.255 trap v3

Open in new window

0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 41862406
7) is fine, and the other points are correct and valid.
0
 

Author Closing Comment

by:carlettus
ID: 41863728
Thank you , I've just passe the document to my supervisor.
All should be fine. I'll come back if there will be changes .
This cross check was useful.
Carlo
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now