WIXLIB

Security Deployment Guide 7.2R1CTPView Management SystemSecurity Deployment GuideRelease 7.2R15 Feb 2016TABLE OF CONTENTSIntroduction. 5Security Level . 6Security Level Description for Web UI .6high .6Security Level Description for OS .6very-low .6low . 6high .6Allowed Attribute Ranges.7Updating Existing User Accounts .8Web UI.8OS .8Configuring a New CTPView Server . 9Default Password .9Change the BIOS Menu Password . 9Change the Server’s Root Account Password .9sudo passwd .9Review System Security Level.9Change the GRUB Boot Loader Password .10Change the MySQL Apache Account Password .10Change the MySQL Administrator Password .10Configuring Network Access . 10Updating the CTPView Software .11Create New Users .11Delete Default System Administrator Account . 11

Security Deployment Guide 7.2R1Logging into the CTPView Web UI .11https:// your server IP address .11Create New User Accounts . 11Delete Default Global Admin Account.12Add Login Banner .12Configure AIDE (Advanced Intrusion Detection Environment) .12Configure SWATCH (Log Watcher) .12Configure Two-Factor Authentication . 12Install Anti Virus Software.12Baseline Files with SUID Bit Set .12sudo find / -perm -4000 xargs ls -l /tmp/baseline suid .12Baseline Files with SGID Bit Set .12sudo find / -perm -2000 xargs ls -l /tmp/baseline sgid .13Discussion of Security Enhancements in CTPView . 13Security Related Enhancements in CTPView 7.2R1 .14Discussion of Server File System Monitoring . 15WARNING .16Discussion of CTPView Logging . 16Summary of Logs. 17/var/log/acorn event.log . 17/var/log/acorn gui.log . 17/var/log/audit/audit.log . 17/var/log/cron . 17/var/log/httpd/*log . 17/var/log/maillog . 17/var/log/messages.17/var/log/mysqld.log . 18/var/log/secure .18/var/log/snmpd.log . 18/var/www/html/acorn/data/ctp dbase/ctp upgrade log.archive . 18/var/www/html/acorn/ip/iplist master . 18/var/www/html/acorn/server sync/server sync log.archive . 18Installation of Anti-Virus Software . 18Configuration of AIDE (Advanced Intrusion Detection Environment) . 19/var/lib/aide/aide.db.gz . 19aide –check.19

Security Deployment Guide 7.2R1aide –update . 19Configuration of Swatch ( Log Watcher) . 19sudo service swatch stop .19sudo service swatch start .20AAA Functions (Authentication, Authorization and Accounting) . 20CAC/PKI Configuration (HTTPS) .21RADIUS/RSA SecurID Configuration (SSH and HTTPS) .22TACACS Configuration (SSH and HTTPS) .24SSH Options .25SSH – CAC/PKI .25SSH – RADIUS/RSA .25SSH – TACACS .26SSH – Local User/Pass .26HTTPS Options .26HTTPS – CAC/PKI .26HTTPS – RADIUS/RSA .27HTTPS – TACACS .27HTTPS – Local User/Pass .27Steel-Belted RADIUS (SBR) Server Configuration . 27Configure RADIUS/RSA Settings on the CTPView Server or CTP Device.28Configure the SBR Server’s Dictionary Files .28SBR Enterprise release 6.1.3 or earlier .28SBR Carrier release 7.2.3 or earlier .29vendor-product Juniper CTP Series dictionary Juniperctp .30@juniperctp.dct .30Configure the SBR Server’s Authentication Policies .30Add CTPView or CTP as a RADIUS Client on an SBR Server .30Add CTPView or CTP Users to an SBR Server.30RSA SecurID Appliance Configuration . 31Configure RADIUS/RSA Settings on the CTPView Server or CTP Device.32Configure the SBR Server’s Dictionary Files .32SBR Enterprise release 6.1.3 or earlier .32SBR Carrier release 7.2.3 or earlier .33vendor-product Juniper CTP Series dictionary Juniperctp .34@juniperctp.dct .34Configure the SBR Server’s Authentication Policies .34Add CTPView or CTP as a RADIUS Client on an SBR Server .34Add CTPView or CTP Users to an SBR Server.34

Security Deployment Guide 7.2R1Assign SecurID Tokens to CTPView or CTP Users.35TACACS Server Configuration. 36For HTTPS access to CTPView, the attributes and their values are: .37For SSH access to CTPView, the attributes and their values are: .37For SSH access to CTP devices, the attributes and their values are: .37Configure the TACACS Server’s configuration Files . 38Add CTPView or CTP Users to a TACACS Server .38Authentication.xml: . 38Authorization.xml: . 39How To Use CAC Smart Cards For SSH Access To CTPView . 39ActiveClient configuration – Initial procedure .40Putty-CAC Configuration – For Each Remote Host: .40UC APL Required Information . 41Conditions Of Fielding.41Mitigation Strategies .42

Security Deployment Guide 7.2R1IntroductionThis guide provides additional detail on the security related features introduced or modified in this release. See theRelease Notes for a description of all enhancement and bug fixes contained in the release you are installing.The full range of security features is only available on CTPView servers running the Juniper customized CentOS 5.3operating system.The first release of CTPView which incorporated the enhanced security features was 3.4R2-p1 and required the server berunning CentOS as its operation system. Beginning with release 3.4R3, the security enhanced CTPView software can beinstalled on systems using the Fedora Core 4 or Fedora 9 operating systems, however not all new security features will beavailable.If you wish to update the OS on your existing server to CentOS, contact Juniper Networks Technical Assistance Center(JTAC) for assistance.You can save and transfer your current server settings and data files to your rebuilt server using our backup utility if youare updating your server to CentOS from a Fedora OS.To save and restore configuration and data files: Upgrade you current server to the latest release of CTPView software available for your system. Save your current server’s configuration and data files using the backup utility found in the CLI menu BackupFunctions. Rebuild your server with a clean installation of the CTPView Server with Custom CentOS using the CDROMmedia and server build instructions available through JTAC. Update the CTPView software on the rebuilt server to the latest release. Restore the server configuration and data files you saved by using the backup utility.The following supplemental steps must be executed after restoring data from a previous FC4 or FC9 serverconfiguration to a CentOS server in order to complete the upgrade: Re-enter the Mail Server’s name or IP address on the Email Notifications page of the CTPView Web UI. Thisone time step is necessary due to the changing of the MTA from Sendmail to Postfix. The path to the page isServer Administration Email Notifications Change Mail Server. Re-create the user accounts for CTPView browser access. This one time step is necessary due to the changein structure of the MySQL database to accommodate encryption of the user passwords using AES-256instead of a MD5 hash. Continue the installation process by following the step in the “Configuring a New CTPView Server” section ofthis guide.

Security Deployment Guide 7.2R1Security LevelCTPView provides a configurable set of security related features that an administrator can use to change the overallsecurity level of the system. These features include the ability to modify username and password limitations, loginrestrictions, inactivity periods and access to diagnostic utilities. The options are assembled into pre-packaged groupingscalled Security Levels. On CTPView the Web UI and the system OS have their own, separate Security Level setting.System administrators can modify the Security Level settings using the CLI menu utility.CTPView servers are delivered with the Security Levels for the Web UI and the OS set to high. All the securitycertifications which have been earned by the CTPView Management System require that the Security Levels remain atthe high level. Additionally, to assure compliance with these certifications, the high level security feature requirementsdelineated in the other sections of this guide must also be complied with.In CTPView installations where you do not require a high level of network security, such as a lab environment, you maychoose to adopt a less stringent security setting. Changes in Security Levels can be performed at anytime, however it issimplest when done during the initial installation, and before user accounts are added. The procedure for switchingSecurity Level settings is covered in the next section of this guide.Security Level Description for Web UIlow high Enables permissive username/password restrictionsEnables elevated username/password restrictionsSecurity Level Description for OSvery-low Enables root login Disables session inactivity timeout Enables default OS username/password restrictions Enables single-user mode login Installs tcpdump and hdparm utilities(These files must exist in the /tmp directory)low Disables root login Disables session inactivity timeout Enables default OS username/password restrictions Enables single-user mode login Installs tcpdump and hdparm utilities(These files must exist in /tmp directory)high Disables root login Enables session inactivity timeout Enables elevated username/password restrictions Disables single-user mode login Removes tcpdump and hdparm utilitiesNOTE: When the OS security level is set to high in CTPView, the CTPView OS user account gets locked if the user doesnot log in for 35 days.

Security Deployment Guide 7.2R1Allowed Attribute RangesThe allowed ranges of password and user account parameters for different Security Levels are shown inthe table below.Changing the Security Level does not change the attributes of the password or account for existing users.Those parameters can be updated using the procedures described in the next section of this guide.Allowed Attribute RangeWeb UIOSUnitshighlowhighlowvery-lowMin Lengthchar15 - 645 - 6415 - 2565 - 256Max Lengthchar15 - 645 - 64256256Min Lower Casechar1 - 100 -101 - 150 -15Min Upper Casechar1 - 100 -101 - 150 -15Min Digitschar1 - 100 -101 - 150 -15Min Otherchar1 - 100 -101 -150 -15Contains username--nonononoChecked with cracklib library--yesnoyesyesMin required new charactersnumber50155Allowed authentication retries--1-31-30-30-3sec60 indefinite60 indefinite900900number10 - 20,never1 - 20,never1010Max time between loginsdays0 - 600 - 365n/an/aMin time between passwordchangesdays1 - 300 - 301 - 600 - 99999Max time new password isvaliddays5 - 605 - 3651 - 601 - 99999Time start warnings beforepassword expiringdays0 - 140 - 141-71-7Time after password expiringwhen access prohibiteddays14 - 5914 - 590 - 140 - 99999Password PropertiesLockout after login failureAccount PropertiesPassword reuse limit

Security Deployment Guide 7.2R1Updating Existing User AccountsChanging the Security Level does not change the attributes of the password or account for existing users.Those parameters can be updated using the procedures described below.Web UILogin to the Web UI as a Global Admin and go to the Admin Center.Modify these global attributes: Select Passwords Password Reuse Limit. Select Passwords Modify Password Requirements.The easiest way to update the password attributes of existing users is to modify the Groups attributes. Select Groups Modify Group Properties.For each Group which you have created on your system adjust the parameters within the newranges. Make sure to check the “Update current members” checkbox before submitting the form. Alternatively, you could individually modify the password requirements on each user account.OSLogin to the CLI management console as a System Administrator. At the command prompt, type menu.The CTPView Configuration Menu utility will open. Go to Security Profile Password Management.Modify these global attributes: Select Manage password requirementsEach user must be updated individually for password expiration; there is no group option as in the WebUI. Enter the user name and you will be prompted to enter new values for each of the passwordparameters. Select Manage password expiration details.