Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] Hardening NSM using IP tables

0

0

Article ID: KB25681 KB Last Updated: 18 Oct 2020Version: 4.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.


A vulnerability scan or penetration testing on an NSM server might result in a report like this:

"A backdoor or trojan may be running on the system on ports 10000, 11223, 12345, 12754, 16969, 20034, 27665, 29891, 30029, 30100, 30102, 31337, 33270, 33333, 34324, 53001, 7597, 8000, 8080, 8081, 8090, 8888, 9000, 9999 etc."

This article explains why the ports are open and suggests ways to secure your NSM server by closing the open ports.

Symptoms:

Ports are open on an NSM, possibly compromising security. The ports need to be closed.

Solution:

Most network management systems are designed to have unrestricted access. Moreover, the devices managed by network management systems might initiate connections from their end to Network Management Servers.

In some cases, the Network Management Server might act as a centralized log server, NetFlow Collector, SIM/SIEM server, correlation engine, endpoint enforcement sever, FCAPS server, and more.

Different services need different ports to be available. For example, a traditional syslog server listens on UDP port 514, but some customers using the syslog server with that port number might want to use the syslog server with TCP port 1514 in order to have encryption and authentication support, or meet compliance requirements, or avoid log dumping attacks using tools like netcat or socat. The Network Management Server, therefore, must have the capability to listen on various ports as the situation demands.

The Juniper NSM solution is designed with these standards in mind. In fact, the OSI/ISO network management model is one of the most commonly used standards for NMS design.

Once you are sure of the scope of your Network Management Server solution, you might want to harden the Network Management Server by closing all unused ports and services. After vulnerability scanning or penetration testing the NMS solution, you might find a number of open ports that are not associated with any applications. In this case, it is your responsibility to harden the NMS solution by closing the open ports to avoid possible intrusion and privilege escalation attacks. The Unix kernel doesn’t get hardened when NSM is installed. This means that the Unix box can accept connections on any port. If you are closely reviewing the VA scan report, you might notice that it is warning you only about the chances of some applications getting associated with the unused ports.

Customers are welcome to use the IP table rules for blocking any unused ports and hardening their systems. The following document explains how to close the open ports by using IP tables: "Securing and Hardening NSM Using IP Tables".

Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search