Juniper EX Series – Securing Access to In-Band Management Interface

By | August 31, 2013

When network management stations use the in-band network to communicate with the devices that they manage the network management traffic is intermixed with user traffic on in-band network interfaces.

This mechanism has following identified security vulnerabilities associated with it:

  •  Saturation of  interfaces can make the device unmanageable unless out-of-band management resources have been reserved.
  •  Since public interfaces/channels are used, it is possible for attackers to directly address and reach the device and to attempt  management functions.
  •  In-band management traffic on public interfaces may be intercepted, however this would typically require a significant compromise in the routing system.
  •  Public interfaces used for in-band management may become unavailable due to bugs (e.g., buffer overflows being exploited) while out-of-band interfaces (such as a serial console device) remain available.

Fortunately Juniper provides configuration options to limit the access to In-Band management interface.

To secure the management interface via IPv4, a firewall filter has to be configured. The sample configuration is as follows:

user@switch>show firewall family inet filter inband-manage 
term allowfromint {
     from {
        source-address {
            192.168.0.0/24;
            192.168.253.0/24;
            192.168.252.0/24;
            }
      }
      then accept;
      }
term blockext {
     from {
       destination-port [ ssh telnet snmp snmptrap http https 830 ];
     }
     then {
       discard;
     }
}
term default {
     then accept;
}

{master:0}[edit]
user@switch# show interfaces lo0 
unit 0 {
    family inet {
      filter {
         input inband-manage;
      }
    }
}

When NMAP is performed from an IPv4 host to the switch, the following output is observed:

nmap port scan output