Introduction Outline Preparation Set BIOS Passwords First Boot Procedures... 2

Transcription

1 CTP Series Security Deployment Guide Release 7.2R1 5 Feb 2016 TABLE OF CONTENTS Introduction... 2 Outline... 2 Preparation... 2 Set BIOS Passwords... 2 First Boot Procedures... 2 Configuration Actions While in Low Security Level Mode... 2 Periodic security actions... 3 Appendix B: Adding antivirus capability... 3 Appendix C: Installing Swatch... 4 Security Related Enhancements in CTPOS 7.1R Security Related Enhancements in CTPOS 7.2R UC APL Required Information... 9 Conditions Of Fielding... 9 Mitigation Strategies... 9 Juniper Networks, Inc. 1

2 Introduction This document outlines the procedure for configuring CTPOS 7.2R1 so that the system meets the JITC security specifications. The procedures outlined here assume that the system starts with a clean flash. Outline The procedures for configuring the CTP are as follows: Preparation Set BIOS password First boot procedure Configuration actions performed in low security mode Set the security level to high Configuration actions performed in high security mode Periodic actions during normal operation Preparation Gather the following information that will be needed for configuration: BIOS password Grub password Root password Network settings System administrator account name CTP administrator account name Auditor account name Set BIOS Passwords CTP2000 and CTP150 Series Systems 1. Connect a keyboard and monitor to the CTP150/CTP Reboot the CTP 3. Hit F2 on the CTP150/CTP2000 to access the BIOS 4. Hit Delete key on the CTP150/CTP2000 to access the BIOS 5. Go to the Security section 6. Set the Supervisor password 7. Set the User password 8. Save and Exit the BIOS First Boot Procedures When prompted, enter a password for root that meets JITC requirements (14 character with a minimum of 1 each upper case, lower case, numeral, and special character). Configure the network parameters. Configuration Actions While in Low Security Level Mode Log in as user ctp and, through menu >node operations > configure network settings. Then configure: Any additional IPv4 configurations. o A minimum of two Ethernet s are required, one for data traffic and one for management. Any required virtual IP addresses. Juniper Networks, Inc. 2

3 Any required VLAN s. Configure SNMP. Configure IP filtering to allow only the IP address of the CTPView web server(s). Enter the security profile menu [menu > node operations > Configure security profile]. Use root's password when prompted. Perform the following actions: 1. Set the password requirements. 14, 1, 1, 1, 1, 3 2. Add the system administrator, ctp administrator, and auditor accounts. Note, you will be prompted to setup a password for each user. 3. Configure remote logging if required. 4. Add the login banner as required. Example login banner: THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES, SPECIFICALLY INCLUDING INTERNET ACCESS, ARE PROVIDED ONLY FOR AUTHORIZED US GOVERNMENT USE. DoD COMPUTER SYSTEMS MAY BE MONITORED FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THEIR USE IS AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, SURVIVABILITY, AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED DoD ENTITIES TO TEST OR VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, RECORDED, COPIED, AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM, MAY BE MONITORED. 5. Configure the management port to prohibit traffic forwarding between the management interface and all other interfaces. 6. Set the encrypted Grub password. As the user ctp, access the command line by typing ^C, then su to root. As user root: Add & configure the intrusion detection software (see appendix C). Add the antivirus software (see appendix B). Check /etc/sysconfig/iptables and make sure it s permissions are 644 if not then: o Changes the permissions: chmod 644 /etc/sysconfig/iptables o Verify it is changed o Backup the changes in Flash: Use backup command on CTP Box. As the system administrator, enter the security profile menu [menu > node operations > Configure security level] and perform the following actions: Set the security level to High Periodic security actions A system administrator must change the password for the ctp_cmd account at least once per year. Appendix B: Adding antivirus capability You can download the Vexira software at the following link: The procedure of installing the software on CTP is as following: Juniper Networks, Inc. 3

4 Prepare the CTP by making the /flash_local directory writable sudo mount LABEL=CTP_LOCAL -o remount -w sudo chmod 0777 /flash_local SCP package to the CTP scp vascan-for-ctp-ctpview-30aug2011.tgz Unpack the package into the directory "/" sudo tar -C / -xzvf /flash_local/vascan-for-ctp-ctpview-30aug2011.tgz Delete the package from the /flash_local directory [ctp_sa@n73]# sudo rm /flash_local/vascan-for-ctp-ctpview-30aug2011.tgz Restore the /flash_local directory to read-only again [ctp_sa@n73]# sudo chmod 0755 /flash_local [ctp_sa@n73]# sudo mount LABEL=CTP_LOCAL -o remount r Copying the package to flash [ctp_sa@n73]# backup Move to working directory [ctp_sa@n73]# cd /vascan linux-i386/ Execute scan [ctp_sa@n73]# sudo./vascan --quiet --thread=8 / Sample output vascan loader ( ) core ( ) vdb ( ) #sig: target was processed in 0:00:49 (hour:min:secs). Summary of completed scans files (total) 4926 in archives 213 mail parts 4 No virus has been found in the specified targets. Appendix C: Installing Swatch Obtain a copy of the Swatch software from Install Swatch on a LINUX Fedora Core 1 machine. To install, simply issue the following commands: perl Makefile.PL make make test make install make realclean Swatch installs just like a CPAN module. If you are not familiar with this process then you may want to read about it by issuing the command: man ExtUtils::MakeMaker Use the "perldoc" command if your "man" cannot find the document. Juniper Networks, Inc. 4

5 If you see messages like these: Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219. Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219. Warning: prerequisite File::Tail 0 not found at (eval 1) line 219. Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219. Then you need to install the CPAN module(s) that it doesn't find before you can use swatch. You can find these modules at search.cpan.org. Verify and/or set the permissions on the files listed below as shown: :46:42 etc/ :46:42 etc/rc.d/ :46:42 etc/rc.d/init.d/ -rwxr--r-- root/root :48:14 etc/rc.d/init.d/swatch :46:42 usr/ :46:42 usr/local/ :46:42 usr/local/etc/ -rw root/root :48:14 usr/local/etc/swatch.conf :46:42 usr/bin/ -rwx root/root :48:38 usr/bin/swatch :46:42 usr/lib/ :46:42 usr/lib/perl5/ :46:42 usr/lib/perl5/site_perl/ :46:42 usr/lib/perl5/site_perl/5.8.1/ :46:42 usr/lib/perl5/site_perl/5.8.1/auto/ :46:42 usr/lib/perl5/site_perl/5.8.1/auto/swatch/ :46:42 usr/lib/perl5/site_perl/5.8.1/auto/swatch/actions/ -r--r--r-- root/root :48:38 usr/lib/perl5/site_perl/5.8.1/auto/swatch/actions/autosplit.ix :46:42 usr/lib/perl5/site_perl/5.8.1/swatch/ -r--r--r-- root/root :53:22 usr/lib/perl5/site_perl/5.8.1/swatch/throttle.pm -r--r--r-- root/root :53:22 usr/lib/perl5/site_perl/5.8.1/swatch/threshold.pm -r--r--r-- root/root :53:22 usr/lib/perl5/site_perl/5.8.1/swatch/actions.pm README NOTE: Swatch is a third party application, and running swatch may adversely affect the operation of CTP functionality, including but not limited to circuits. This README only describes how to install & run Swatch, it does not imply that running Swatch has been fully tested by Juniper to ensure that Swatch does not impact CTP functionality, nor does it imply that the example Swatch configuration file is sufficient to detect an intrusion event. Because Swatch is a third party application, there is no support for configuring Swatch on a CTP. Support for Swatch is limited to this README. INTRODUCTION: The application Swatch is an intrusion detection system that watches log files for signature events. Which log messages trigger an event and what to do for each event are determined by the configuration file. See the Swatch man pages on-line for detailed information on the configuration file format. NOTE: CTPOS has no mail application. The example configuration file uses the command 'cmd L "swatch: $_"' to send the matched log entry to a remote syslog server (remote logging must be configured). Other commands that are useful include "echo" (echos the matched log entry to terminal- useful when debugging swatch.conf), "threshold" (useful for limiting the number of messages sent to syslog server), and "continue" (used to look for a second log entry before triggering an event). NOTE: Sending messages to a syslog server at a high rate may cause CTP circuit traffic interruptions. NOTE: There is no mechanism for Swatch to generate snmptraps. Juniper Networks, Inc. 5

6 The files listed must be included in the tar archive that they will copy to the CTP. The files must have the permissions & ownerships listed. Above are the files that must be included in the archive (archive named swatch tgz). Once installed on the FC1 machine you need to create a tar file from the files installed to install Swatch on the CTP. The archive can be named whatever you want. In this example the archive is swatch tgz: TYPE: tar czpvf swatch tgz <files listed above> PREPARE CTPOS for Swatch (see example below): copy the file swatch tgz to /tmp on the CTP. as root type: tar xzpvf /tmp/swatch tgz -C / backup EDIT CTP FILES: Edit the two CTP files below so they contain the information below. The two files specific to running on the CTP are etc/rc.d/init.d/swatch and usr/local/etc/swatch.conf. [builder@fc1 swatch]$ cat usr/local/etc/swatch.conf # Don't get into loop triggering on messages we generate... ignore /swatch:/ # Watch for users using su: watchfor /su\(pam_unix/ #echo exec /acorn/bin/cmd -L "swatch: $_" # watch for failed logins watchfor /PAM: Authentication failure/ #echo exec /acorn/bin/cmd -L "swatch: $_" # watch for attempted logins with unknown users watchfor /PAM: User not known/ #echo exec /acorn/bin/cmd -L "swatch: $_ [builder@fc1 swatch]$ cat etc/rc.d/init.d/swatch #!/bin/bash # # network Bring up/down swatch # # Source function library.. /etc/init.d/functions if [ $UID -ne 0 ]; then echo $" " echo $"You must be root to run this command" echo $" " exit 1 fi name="swatch" CONFIG_FILE="/usr/local/etc/swatch.conf" # Configuration file PROG="/usr/bin/swatch" # WATCH_FILES="/var/log/secure" # Which log files to watch PID_FILE="/var/run/swatch.pid" Juniper Networks, Inc. 6

7 SCRIPT_FILE="/root/.swatch" [ -f ${CONFIG_FILE} ] exit 0 [ -x ${PROG} ] exit 0 start() { if [ -f ${PID_FILE} ]; then echo "swatch is already running" exit 0 fi ${PROG} -c ${CONFIG_FILE} --daemon --use-cpan-file-tail -t ${WATCH_FILES} --pid-file ${PID_FILE} --dump-script ${SCRIPT_FILE} echo -n $"Starting $name: " /usr/bin/perl -- ${SCRIPT_FILE} & RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$name return $RETVAL } stop() { echo -n $"Shutting down $name: " killproc ${PROG} RETVAL=$? echo [ -f /var/lock/subsys/$name ] && rm -f /var/lock/subsys/$name return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) cd $CWD $0 stop $0 start ;; *) echo $"Usage: $0 {start stop restart}" exit 1 esac exit 0 MAKE INIT SCRIPTS: The last step is to make init script links (as root): cd /etc/rc.d/rc3.d && ln -s../init.d/swatch S98swatch cd /etc/rc.d/rc5.d && ln -s../init.d/swatch S98swatch cd /etc/rc.d/rc0.d && ln -s../init.d/swatch K04swatch cd /etc/rc.d/rc1.d && ln -s../init.d/swatch K04swatch cd /etc/rc.d/rc6.d && ln -s../init.d/swatch K04swatch backup OTHER: To start Swatch from the command line, as root: Juniper Networks, Inc. 7

8 /etc/init.d/swatch start To stop Swatch from the command line, as root: /etc/init.d/swatch stop To stop Swatch from running on startup: m cd /etc/rc.d/rc3.d && rm S98swatch cd /etc/rc.d/rc5.d && rm S98swatch backup Security Related Enhancements in CTPOS 7.1R1 CTPOS 7.1R1 installed on a CTP Box provides the facility to classify the CTP as an appliance in High Security level. CTP behavior is little bit different in CTPOS 7.1R1 compared to 7.0 or earlier releases. Some changes are made for all security levels while others are only for the High Security Level (JITC mode). Based on this, enhancements for CTPOS 7.1R1 are divided into the following two categories Enhancements for High Security Level (JITC mode) Enhancements for all Security Levels Enhancements for High Security Level (JITC mode): CTP is shell-less in High Security level or JITC mode. When CTP is in JITC mode or High level security mode, ctp_cmd user will not have access to CTP box. In JITC mode, System Administrators, System Auditors, CTP Administrator and Qry-only Users will directly enter in menu session upon login and ctp_cmd user will not be able to login to CTP box. ctp_cmd user will receive the error Connection Refused on login. While in Non JITC mode (for security level Low and Very Low) there is no change in behavior, System Administrators, System Auditors and ctp_cmd users will go to shell after login and CTP Administrators and Qry-only users will go to menu directly after login. In JITC mode, during password change new password should be different from the old password such that characters are changed in at least 15 of the positions within the password In JITC mode, system will not respond to ICMP echo request. System will be able to ping other boxes but will not respond to any ping request coming from any CTP box or server. In JITC mode, Admin user (System Admin and CTP Admin) can open at max 5 ssh session simultaneously. In JITC mode, the CTP user account gets permanently locked if the user does not login for 35 days. In JITC mode, user account will get lock after three unsuccessful login attempts. Locked user will automatically get unlocked after 15 minutes. Enhancements for all Security Levels: Upon successful login to CTP box, timestamp for last successful login will be displayed. Upon successful login, CTP box displays the number of unsuccessful login attempts since the last successful login for a user account. Juniper Networks, Inc. 8

9 The SSH daemon is now configured to not use Cipher-Block Chaining (CBC) ciphers. The SSH client is now configured to not use CBC-based ciphers. The SSH daemon is now configured to not allow TCP connection forwarding. NOTE: When burning 7.1R1 flash in CTP box it is recommended to change the password for all default accounts after the flash burn. Security Related Enhancements in CTPOS 7.2R1 CTP behavior is little bit different in CTPOS 7.2R1 compared to 7.1 or earlier releases. Following are the changes that are made for all security levels to meet the JITC requirements: NTP Authentication is supported on CTP devices from 7.2R1 release. Prior to 7.2R1 release, for radius user, there is no way of identifying which user actually logged in to the system as secure logs only dump the template account name and not the actual user. The actual radius user name will also be logged in to the secure logs from 7.2R1 release. Pam_faildelay rule is now added in /etc/pam.d/system-auth file. UC APL Required Information Conditions Of Fielding When the system is deployed into an operational environment, the following security measures (at a minimum) must be implemented to ensure an acceptable level of risk for the site s Designated Accrediting Authority (DAA): a. The system must be incorporated in the site s PKI. If PKI is not incorporated, the following findings will be included in the site s architecture: DSN18.10 for CTPView Application (Juniper CTPView Network Management) NET0445 for CTPView Application (Juniper CTPView Network Management) b. The site must use a SysLog device for auditing purposes. c. IP forwarding is enabled between devices with a restrictive Access Control List (ACL). If the system is not deployed in this manner then the following findings will be included in the site s architecture: GEN for all CTP 150 s and CTP 2000 s d. The site must only use the web interface (CTPView platform) for management. If the solution is managed in any other way then the following findings will be applicable to the solution: DSN and DSN18.10 NET0445 e. The configuration must be in compliance with the Juniper CTP military-unique features deployment guide. f. The site must register the system in the Systems Networks Approval Process Database < as directed by the Defense IA/Security Accreditation Work Group (DSAWG) and Program Management Office. Mitigation Strategies None required. Juniper Networks, Inc. 9

10 Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: EMEA Sales: Fax: Juniper Networks, Inc. 10 Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their

11 respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Mon 2010 Juniper Networks, Inc. 11