Nessus Now Audits Juniper Junos Configuration

Keeping Your Routers and Firewalls in Check

Continuing with the theme of helping you secure and maintain your critical infrastructure (see our previous post: "New Nessus Compliance Checks Available for Check Point GAiA"), we are pleased to announce the availability of Juniper Junos compliance checks. Junos is the underlying operating system (OS) powering Juniper's routers, firewalls, and network switches.

Ensuring a consistent configuration across your entire network infrastructure contributes to a healthy and more secure network. For example, a configuration error could lead to an easily-exploitable weakness on devices (such as a clear-text management protocol or default SNMP community string settings). A successful attack against a router allows someone to sniff all the traffic passing through it, potentially accessing sensitive information or performing Man-in-The-Middle (MiTM) attacks.

New Compliance Checks

To provide Nessus users with a way to audit Junos router/firewall/switch security settings relating to the underlying OS, we've developed a set of checks based on the CIS Benchmark for Junos as a guide.

Below is an example of the audit results:

The compliance checks for Junos download the configuration file from the device and use CONFIG_CHECK options to compare values. For example, below is the compliance check for section 6.16.2 of the CIS benchmarks for Junos:

&ltcustom_item&gt
type         : CONFIG_CHECK
description  : "6.16.2 Require Encrypted Configuration Files"
info         : "Level 2, Scorable"
regex        : "set system"
expect       : "encrypt-configuration-files"
info         : "Configuration files should be encrypted."
info         : ""
info         : "ref: https://benchmarks.cisecurity.org/tools2/CIS_Juniper_JunOS_Benchmark_v1.0.1.pdf pg. 169"
&lt/custom_item&gt

The above code block searches the configuration for the entry "encrypt-configuration-files" as the CIS Benchmark requires that configuration files be encrypted on Junos devices. If the "encrypt-configuration-files" entry is not listed in the results of the "Set system" command, the check will fail.

Conclusion

The addition of Junos compliance checks allows organizations to use Nessus (and SecurityCenter) to perform compliance auditing against Juniper's line of routers, firewalls, and network switches. If you've standardized on this platform to run your network, this provides valuable information to help you secure your network. Nessus audits the security and policy compliance configurations of Windows, Unix, databases, and virtualization platforms as well. Correlating this information with other sources of vulnerability and events provides you with an in-depth look at the security of your enterprise.

Nessus ProfessionalFeed and SecurityCenter customers can download all the latest compliance checks from the Tenable Support Portal. For more information on using Nessus for compliance auditing, view the Nessus configuration and compliance auditing video.