$SSHQGL[%&RQILJXUDWLRQIRU&RPPRQ&ULWHULD($/
% 1HW6FUHHQ
passwords should not be easily guessed, such as a mother’s maiden name, a
birth date, or names of relatives. NetScreen devices ship with a default user
name and password of “netscreen”. You must change this as soon as possible to
prevent unauthorized access. See Chapter 1, “Administration,” in Volume 3 in
the NetScreen Concepts & Examples manual for more information on
administrative passwords. The recommended time between password changes is
no longer than 30 days to mitigate the effects of a compromised administrator
identity.
The following CLI commands, in order, are required to set a new administrator
name and password:
set admin name name
set admin password password
• It is expected and assumed that authorized administrators are not hostile.
• The NetScreen device must be placed in a physically secure location to prevent
physical tampering, or device startup or shutdown. All persons who have
physical access to this location, including access to the console, must have the
same level of trustworthiness as an administrator.
• To place a NetScreen device into a mode consistent with that specified in
NetScreen’s Security Target for Common Criteria, management access must be
limited to the locally connected console port. NetScreen devices do not ship this
way by default. To limit management access to the console port, the interface
that is by default in the V1-Trust or Trust security zone needs to have
management access turned off. See the interface commands in the NetScreen
CLI Reference Guide for more information.
All other interfaces have management access turned off by default, so no action
is necessary to turn management off.
To disable management to the interface in the V1-Trust or Trust security zone,
issue the following CLI command:
unset interface interface manage
For each NetScreen device, you must enter the following commands:
NetScreen-5XP: unset interface trust manage
NetScreen-5XT: unset interface trust manage
NetScreen-25: unset interface ethernet1 manage
NetScreen-50: unset interface ethernet1 manage
NetScreen-100: unset interface trust manage
NetScreen-204: unset interface ethernet1 manage
NetScreen-208: unset interface ethernet1 manage
NetScreen-500: unset interface ethernet3/2 manage
NetScreen-5200: unset interface ethernet2/2 manage
• There are two important steps to take every time a policy is being created. First,
all security policies that are created must have counting and logging enabled to
ensure that all audit log information is maintained for traffic passing through
the device. Second, policies must be as specific as possible to ensure that the
traffic being permitted is done intentionally, and not as part of a generic policy.
To Next Page
Loading...
Need help?
General
