Mondoo
Docs
Network Devices

Assess Juniper Junos OS Security with cnspec

Secure and enforce policy for Juniper Networks devices running Junos OS

Rely on cnspec to ensure your Juniper Networks devices running Junos OS follow recommended security and operational best practices, such as verifying SSH hardening, checking security zone configuration, auditing user accounts, and validating routing protocol state.

Prerequisites

To test a Junos OS device with cnspec, you must have:

  • cnspec installed on your workstation
  • Network access to the Junos device management interface (NETCONF over SSH)
  • Valid credentials (username/password or SSH key) for authentication

Give cnspec access to your Junos OS device

To scan a Junos OS device, cnspec connects through NETCONF over SSH. You need to ensure the NETCONF service is enabled on the device.

API setup instructions

Enable NETCONF over SSH

If NETCONF is not yet enabled, SSH to the device and configure it. For DEVICE_IP, substitute the IP address of the device:

ssh admin@DEVICE_IP

Then enable the NETCONF service:

> configure
# set system services netconf ssh
# commit

Test your connection

Before running a full scan, verify that cnspec can connect by opening a cnspec shell:

cnspec shell junos --hostname DEVICE_IP --username admin --ask-pass

If cnspec connects successfully and shows a prompt, you're ready to scan.

Connection options

OptionDescription
--hostnameHostname or IP address of the Junos device
--username, -uUsername for authentication (default: "admin")
--password, -pPassword for authentication
--ask-passPrompt for the password
--identity-file, -iPath to SSH private key
--portNETCONF SSH port (default: 830)

Scan Junos OS devices

To scan a Junos OS device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device:

cnspec scan junos --hostname DEVICE_IP --username admin --ask-pass

To connect using an SSH key:

cnspec scan junos --hostname DEVICE_IP --username admin --identity-file ~/.ssh/id_rsa

Scan with the Mondoo Junos Security policy

Mondoo maintains an out of the box Juniper Junos Security policy that checks SSH hardening, security zones, user account configuration, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Junos", and add the policy. All future scans of your Junos devices automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan junos --hostname DEVICE_IP --username admin --ask-pass \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-junos-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Junos device:

cnspec shell junos --hostname DEVICE_IP --username admin --ask-pass

Below are some example queries and checks you can run from the shell.

Retrieve system information

cnspec> junos.system { hostname model version serialNumber }
junos.system: {
  hostname: "vsrx1"
  model: "VSRX"
  version: "22.4R1.10"
  serialNumber: "ABC1234567"
}

List interfaces and their status

cnspec> junos.interfaces { name adminStatus operStatus speed }
junos.interfaces: [
  0: {
    name: "ge-0/0/0"
    adminStatus: "up"
    operStatus: "up"
    speed: "1000mbps"
  }
  ...
]

Retrieve security zones

cnspec> junos.securityZones { name interfaces }
junos.securityZones: [
  0: {
    name: "trust"
    interfaces: ["ge-0/0/0.0"]
  }
  1: {
    name: "untrust"
    interfaces: ["ge-0/0/1.0"]
  }
]

Check SSH configuration

cnspec> junos.sshConfig { rootLogin ciphers macs }
junos.sshConfig: {
  rootLogin: "deny"
  ciphers: ["aes256-ctr", "aes128-ctr"]
  macs: ["hmac-sha2-256", "hmac-sha2-512"]
}

List BGP neighbor sessions

cnspec> junos.bgpNeighbors { peerAddress peerAs state }
junos.bgpNeighbors: [
  0: {
    peerAddress: "10.0.0.1"
    peerAs: 65001
    state: "Established"
  }
  ...
]

Ensure root login over SSH is denied

cnspec> junos.sshConfig.rootLogin == "deny"
[ok] value: "deny"

Ensure telnet is not enabled

cnspec> junos.services.none(name == "telnet")
[ok] value: true

Ensure all BGP sessions are established

cnspec> junos.bgpNeighbors.all(state == "Established")
[ok] value: true

Ensure security policies have logging enabled

cnspec> junos.securityPolicies.all(logInit == true && logClose == true)
[ok] value: true

Ensure no user accounts lack passwords

cnspec> junos.users.where(hasPassword == false) == []
[ok] value: []

Ensure certificates are not expired

cnspec> junos.certificates.all(notAfter != "")
[ok] value: true

Learn more

IPMI

Query IPMI interfaces with cnspec

Palo Alto PAN-OS

Secure and enforce policy for Palo Alto Networks firewalls running PAN-OS

On this page

PrerequisitesGive cnspec access to your Junos OS deviceEnable NETCONF over SSHTest your connectionConnection optionsScan Junos OS devicesScan with the Mondoo Junos Security policyExample checksRetrieve system informationList interfaces and their statusRetrieve security zonesCheck SSH configurationList BGP neighbor sessionsEnsure root login over SSH is deniedEnsure telnet is not enabledEnsure all BGP sessions are establishedEnsure security policies have logging enabledEnsure no user accounts lack passwordsEnsure certificates are not expiredLearn more