Methods of Remote Access for Device Management
When you rst install Junos OS, all remote access to the device is disabled, thereby ensuring that
remote access is possible only if deliberately enabled by an authorized user. You can establish remote
communicaon with a device in one of the following ways:
• Out-of-band management: Enables connecon to the device through an interface dedicated to
device management. Juniper Networks devices support out-of-band management with a dedicated
management Ethernet interface, as well as EIA-232 console and auxiliary ports. On all devices other
than the TX Matrix Plus, T1600, T1600 or T4000 devices connected to a TX Matrix Plus device in a
roung matrix, and PTX Series Packet Transport Routers, the management interface is fxp0. On a TX
Matrix Plus, T1600, T1600 or T4000 devices in a roung matrix, and PTX Series Packet Transport
Routers, the management Ethernet Interface is labeled em0. The management Ethernet interface
connects directly to the Roung Engine. No transit trac is allowed through this interface, providing
complete separaon of customer and management trac and ensuring that congeson or failures in
the transit network do not aect the management of the device.
• Inband management: Enables connecon to the devices using the same interfaces through which
customer trac ows. Although this approach is simple and requires no dedicated management
resources, it has two disadvantages:
• Management ows and transit trac ows are mixed together. Any aack trac that is mixed
with the normal trac can aect the communicaon with the device.
• The links between device components might not be totally trustworthy, leading to the possibility
of wiretapping and replay aacks.
For management access to the device, the standard ways to communicate with the device from a remote
console are with Telnet and SSH. SSH provides secure encrypted communicaons and is therefore
useful for inband device management. Telnet provides unencrypted, and therefore less secure, access to
the device.
Junos OS Supported Protocols and Methods for User Authencaon
On a device, you can create local user login accounts to control who can log in to the device and the
access privileges they have. A password, either an SSH key or a Message Digest 5 (MD5) password, is
associated with each login account. To dene access privileges, you create login classes into which you
group users with similar jobs or job funcons. You use these classes to explicitly dene what commands
their users are and are not allowed to issue while logged in to the device.
The management of mulple devices by many dierent personnel can create a user account
management problem. One soluon is to use a central authencaon service to simplify account
management, creang and deleng user accounts only on a single, central server. A central
authencaon system also simplies the use of one-me password systems such as SecureID, which
39