Juniper Branch Router - EOL

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Juniper Branch Router - EOL - Security Risk?

grass99

2 posts

Wannabe Geek

#312004 6-Mar-2024 20:10

I've been told during an external IT audit the Juniper SRX routers used at our branch offices for our site-to-site VPN (IPSec?) are outside of support and represent a security risk.

Would you experts recommend upgrading?

How real are the risks and can they be mitigated without upgrading?

Do organizations typically replace their branch routers every 4-5 years as they become 'obsolete'?

1 | 2

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#3203897 6-Mar-2024 20:26

https://support.juniper.net/support/eol/product/srx_series/

List of out of support

You can confirm if there are updates available here: https://support.juniper.net/support/downloads

But in short, a security device such as VPN endpoint needs to be kept current and yes they go out of support and needs to be upgraded/replaced periodically.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

networkn

Networkn
32864 posts

Uber Geek
+1 received by user: 15455

ID Verified

Trusted

Lifetime subscriber

#3203908 6-Mar-2024 20:58

The answer is Yes, if your device no longer is a currently model and isn't getting security upgrades and updates, then it should be replaced.

We like Fortinet, but Sonicwalls are OK too, I've used them for over 15 years, as are Palo Alto which I have little experience with personally, but get excellent reviews from industry peers I trust to make such judgments.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3203948 7-Mar-2024 00:10

I personally use Fortigate and use it for work and find it pretty good.

Depending on the size of the business you may get away with using Ubiquiti UniFi (if it is smaller) for a site to site VPN solution but if it's multi branch then you'd 100% want to have a proper solution in place especially if business depends on it. With a Fortigate you can set up SD-WAN and have it failover to mobile backup or even something like Starlink.

They're pretty expensive but the thing is you're getting a whole bunch of security features included.

If anyone says "Meraki" to you and quotes you on that then IMHO, run. Meraki basically brick themselves if you don't pay a license where Fortinet products just go "out of support" but will still work fine for routing and you can still make changes etc + software only licensing is actually pretty cheap for them (to allow you to get software updates + additional warranty).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

nztim

4013 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3203959 7-Mar-2024 06:24

If you want UTM services (Gateway AV or IPS) then go for the likes of SonicWALL or FortiGate

otherwise Mikroik

You should engage with your MSP to provide an end-to-end solution

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

BlueOwl

87 posts

Master Geek
+1 received by user: 69

Lifetime subscriber

#3203978 7-Mar-2024 08:38

Off the top of my head, there's no urgent security risks at the moment for the Juniper SRX 100 and 200 series which are all past EOL. The biggest risk is they they suffered from bad power supplies and also flash memory wear from excessive writes. Unfortunately you usually find out when there's a power cut and they don't come back again. Grey market power supplies are around, but if the flash has worn then it's a brick.

The easiest upgrade path is to the Juniper SRX 300 series - it's literally a copy and paste of the config (maybe changing interface names from fe-xx to ge-xx). That said, the SRXs are complex and pricey boxes - you need to pay for the hardware, the software, and a support contract all separately.

Typically for Juniper they're also very feature-rich, particularly in the routing and VPN area. If you migrate to an alternative, such as Fortigate, be aware that those may not support the same functions.

grass99

2 posts

Wannabe Geek

#3205438 11-Mar-2024 15:37

I understand the need to keep current but these are not mission critical WAN links. They’re used for database sync for CRM (the site to site VPN) which could be delayed a few days without significant impact. Email and web traffic just goes out via the internet.

The branch offices are only for 3-10 people at its biggest.

If we continue to run these devices beyond their support then what is the risk? Yes hardware failure could become an issue but we would just replace them at that point.

If a vulnerability is found in the software then what is the likelihood of it being exposed? Our data is not particularly sensitive.

As I understand the IP addresses of the offices are whitelisted so exposure to hacking even if there was vulnerability ought to be mitigated.

All of this is based on risk which I guess at the end of the day we need to understand. But I think we probably have even bigger risk with old hardware and backups that may or may not be taking place.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

nztim

4013 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3205505 11-Mar-2024 21:42

Ask yourself

If someone managed to do plug into your network and comprise your router, would you be okay with that?

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

cddt

1967 posts

Uber Geek
+1 received by user: 1904

#3205543 12-Mar-2024 08:12

grass99:

If a vulnerability is found in the software then what is the likelihood of it being exposed? Our data is not particularly sensitive.

These days it is less about the sensitivity and more about whether it has any value to you.

My referral links: BigPipe | Mercury

BlueOwl

87 posts

Master Geek
+1 received by user: 69

Lifetime subscriber

#3205555 12-Mar-2024 09:42

grass99: I understand the need to keep current but these are not mission critical WAN links. They’re used for database sync for CRM (the site to site VPN) which could be delayed a few days without significant impact. Email and web traffic just goes out via the internet.

The branch offices are only for 3-10 people at its biggest.

If we continue to run these devices beyond their support then what is the risk? Yes hardware failure could become an issue but we would just replace them at that point.

If a vulnerability is found in the software then what is the likelihood of it being exposed? Our data is not particularly sensitive.

As I understand the IP addresses of the offices are whitelisted so exposure to hacking even if there was vulnerability ought to be mitigated.

All of this is based on risk which I guess at the end of the day we need to understand. But I think we probably have even bigger risk with old hardware and backups that may or may not be taking place.

If you've configured white-listing for the management access to the router, and configured a reasonably good random password, then the risk is very low. The SRX has been around for a long time and is used by many large companies globally subjecting it to much scrutiny and many audits. The few vulnerabilities that have been found are usually related to the advanced features, and from memory I think the biggest impact is that someone might be able to run a denial of service and make it reboot.

nztim

4013 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#3205568 12-Mar-2024 11:20

Adding to this, the VPN is probably using insecure protocols such as IKEv1, Aggressive Mode, AES128, SHA1 or even worse, Manual Key

Thiis is so traffic cannot be intercepted at any hop between your two sites

All VPNS should be using IKEv2, AES256/SHA256 with DH and PFS Groups of at least 5 - on both Phase 1 and Phase2 Selectors

The SonicWALL 7.1 firmware on the Gen7 has dropped these insecure VPN Selectors as a responder, but still support them if the SonicWALL is the initiator connecting to a remote site.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205578 12-Mar-2024 12:12

BlueOwl:

If you've configured white-listing for the management access to the router, and configured a reasonably good random password, then the risk is very low. The SRX has been around for a long time and is used by many large companies globally subjecting it to much scrutiny and many audits. The few vulnerabilities that have been found are usually related to the advanced features, and from memory I think the biggest impact is that someone might be able to run a denial of service and make it reboot.

Whitelists aside, there are some pretty serious critical and actively exploited vulnerabilities in older versions of JunOS.

Depending on the version of JunOS there could well be the famous backdoor: https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

The thing is. Regardless of "our data isn't that sensitive" the firewall should be seen as your main source of defense to a network. If it's only to another site then simple, replace it with a UniFi Dream Machine, upgrade the WiFi, add security cameras or whatever but then you've got basically a one click site to site VPN you're able to securely do. Job done.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

toejam316

1516 posts

Uber Geek
+1 received by user: 888

Trusted

Lifetime subscriber

#3205581 12-Mar-2024 12:17

Given the scale of your sites, you could probably get away quite comfortably replacing those units with a few Mikrotiks, RB4011 or RB5009 should have plenty of power to handle a few site to site tunnels with modern encryption.

Go through what you've actually got running on those boxes, make sure the featureset can be built on an alternative like the Mikrotiks, and then build up a replacement in parallel, test it, and cut it over.

Join Quic Broadband with my referral - no sign up fee and gives me account credit

Anything I say is the ramblings of an ill informed, opinionated so-and-so, and not representative of any of my past, present or future employers, and is also probably best disregarded.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205584 12-Mar-2024 12:34

@toejam316 Yeah I was thinking Mikrotiks also but sounds like these are small sites and so UniFi may be better just from a support perspective. Depends on their IT support however.

BlueOwl

87 posts

Master Geek
+1 received by user: 69

Lifetime subscriber

#3205586 12-Mar-2024 12:43

michaelmurfy:

Whitelists aside, there are some pretty serious critical and actively exploited vulnerabilities in older versions of JunOS.

Depending on the version of JunOS there could well be the famous backdoor: https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/

Please quote some of these "actively exploited vulnerabilities" against JunOS. Seriously - Juniper resellers and users would like to know about them.

The Wired article you link to refers to ScreenOS, which has nothing in common with JunOS.

michaelmurfy

meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205590 12-Mar-2024 13:11

BlueOwl:

Please quote some of these "actively exploited vulnerabilities" against JunOS. Seriously - Juniper resellers and users would like to know about them.

Correct. Ideally users should have vulnerability scanning in place to pick up critical vulnerabilities along with a patching schedule to resolve.

A single example is: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-juniper-rce-bug-chain-after-poc-release/

There are other critical published vulnerabilities also. Regardless, the OP's software version can be likely exploited locally on the network also even if it were mitigated via firewall rules. You just don't know how it is configured but it is irresponsible to have a firewall fronting a business with known critical vulnerabilities in place allowing for remote code execution.

The Wired article you link to refers to ScreenOS, which has nothing in common with JunOS.

You're right. I stand corrected. But again lets say if the JunOS version was lets say 5 years out of date fronting a business with at-least 1 critical RCE bug like the one posted above wouldn't you too recommend either upgrading the firmware, if possible or replacing an EOL device?

1 | 2