TickYouOff
Sign in
Back
🔒

Juniper Router STIG Compliance Checklist

Hard 19 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps network administrators and IT security teams implement the Juniper Router STIG requirements across JunOS devices. It covers preparation, hardening steps, verification, and documentation to achieve and maintain STIG compliance for routers in managed environments.

Source: https://ncp.nist.gov/checklist/888

Progress
0 / 19
  1. Download the Juniper Router STIG package (XCCDF/HTML/PDF) — Get the latest STIG (Y25M01 or current) from DISA IASE or official resource.
  2. Review STIG controls and map to your environment — Identify applicable controls, exceptions, and implementation scope.
  3. Inventory Juniper devices and record JunOS versions — Capture device model, OS version, location, and management IP.
  4. Run automated STIG compliance scan (XCCDF/SCAP) — Use approved scanners and save the generated report for review.
  5. Apply vendor-recommended patches and JunOS updates — Patch devices to versions that address known CVEs and fixes.
  6. Implement STIG baseline configuration on routers — Apply STIG-required settings: interfaces, services, logging, and accounts.
  7. Secure management access
  8. Enable SSH v2 and disable Telnet — Configure SSH v2 only and remove unsecured management protocols.
  9. Restrict management access to trusted IPs or management VRF — Limit which hosts/networks can reach device management interfaces.
  10. Enforce role-based admin accounts and disable default accounts — Create least-privilege roles and remove or disable shared/default logins.
  11. Disable unused services and protocols — Turn off services like FTP, rsh, finger, and other unused daemons.
  12. Configure strong authentication and password policies — Set complexity, aging, history, and account lockout policies.
  13. Harden SNMP: use SNMPv3, restrict access, and change community strings — Use authenticated/encrypted SNMP and limit collectors by ACL.
  14. Configure NTP and lock time sources — Use trusted NTP servers and restrict NTP service to authorized hosts.
  15. Enable and centralize logging to a secure syslog/SIEM — Forward logs to a protected collector with retention and integrity controls.
  16. Deploy firewall filters and ACLs for control-plane protection — Apply anti-spoofing, management ACLs, and control-plane policing.
  17. Perform STIG compliance re-scan and save results — Re-run automated checks to validate applied hardening.
  18. Document deviations and submit Risk Acceptance (DAA) requests — Record justified exceptions and obtain formal approval where needed.
  19. Schedule periodic audits and subscribe to DISA IASE updates — Set recurring reviews and watch for STIG or reference updates.
Sign in to save
📝 My Notes