Sunday, September 6, 2015

Tightening up junOS SRX and ssh access

In this blog, we will look how we can control ssh ciphers and by manually configuring our ssh  parameter, you can ensure that clients conform to your security profiles and policies.

In my side role,  we had a audit and want to remove AES128 support from ssh server platforms. In this case our  Juniper gear was still supporting cbc and ctr  with AES128. So we decided to enforce  AES192/256 blowfish and chacha across the board.

We also want to remove the RSA function for the server key.

Here's the cfg;

To test, we just use the ssh client and specify the weaker ciphers in this case aes128 was strike from the  SRX.

And here's the server ssh key finger_prints, notice the after and before ( green / red ) circles

This allowed us to tighter access via our ssh clients access.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
      /  \

No comments:

Post a Comment