Go! Junos Default Security Features
Junos OS has a number of default behaviors that contribute to router security, behaviors that immediately take effect once you perform the initial router configuration (see Chapter 6 for the initial configuration process).
- Router access: By default, the only way to access the router is by physically connecting to the router's console port. To configure the router initially, you must connect a laptop or other terminal directly to the console port. All other remote management access and management access protocols, such as Telnet, FTP, and SSH (secure shell), are disabled. (On the J-series routers, the Web interface is enabled by default to aid in initial system configuration.) Once the initial configuration is complete, you need to enable a way to remotely log in to the router so you don't have to be there physically to connect to the router's console port. SSH provides the best security, and you configure it as follows:
fred@router# set system services ssh
- Configuring the router with SNMP set commands: Junos OS does not support the SNMP set capability for editing configuration data, which allows an NMS to modify the configurations on managed network devices. Junos OS does, by default, allow SNMP to query the status of the router, although no known security risks are associated with this.
- Directed broadcast messages: Junos OS doesn't forward these messages, which are datagrams with a destination address of an IP subnetwork broadcast ...