Overview of Third-Party Applications on Junos OS Evolved
SUMMARY You can run third-party applications inside Linux containers or natively on Junos OS Evolved with signing keys. Applications use Juniper APIs to interact with the Junos OS Evolved system, and Linux APIs for network tasks. Unverified applications are prevented by an integrity solution called Integrity Measurement Architecture (IMA).
Introduction to Third-Party Applications on Junos OS Evolved
Junos OS Evolved runs natively on Linux, which means you can integrate third-party applications and tools developed for Linux into Junos OS Evolved. Linux development tools also give you the power to create and run your own applications on Junos OS Evolved. You can choose to run these applications inside a container, or natively on the device with signing keys.
Running Applications in Containers
Junos OS Evolved supports running applications inside Docker containers. Containers run on Junos OS Evolved, and applications run inside the containers, keeping them isolated from the OS. You can use prebuilt Docker container images and install additional tools and libraries inside the container. Containers can be upgraded by using Linux workflow.
Containers are already a commonly used method for running Linux applications, so many existing third-party applications can be easily imported into Junos OS Evolved by deploying them inside containers. The isolated nature of containers makes them easy to deploy and remove without compromising the integrity of Junos OS Evolved. In addition, Junos OS Evolved places default limits on the resource usage of containers, to ensure that rogue containers cannot overwhelm your system.
The Docker container service is not automatically started at system initialization. To enable automatic startup for the Docker container service, enter the following command from the Linux shell:
# systemctl enable --now docker.service
For more information about running applications in containers, see Running Third-Party Applications in Containers
Running Applications Natively With Signing Keys
Third-party applications can run natively on Junos OS Evolved by using signing keys. You generate signing keys and use them to sign executable files or shared objects. Signing an executable file gives it permission to run on the device, allowing you to approve trusted applications to run alongside authorized Juniper Networks software.
Signing keys are controlled by a Linux subsystem called Integrity Measurement Architecture (IMA). IMA policy consists of rules that define which actions needs to be taken before a file can be executed. IMA measurement policy will measure and store a file’s hash, and IMA appraisal policy will make sure that the file has a valid hash or digital signature. IMA will only allow a file to run if this validation succeeds.
Junos OS Evolved requires users to sign all files that will be mapped into memory for execution. IMA verification helps ensure that these files have not been accidentally or maliciously altered. Containers and files inside containers do not need to be signed.
For more information about using signing keys, see Signing Third-Party Applications to Run Natively on Junos OS Evolved
Application Pre-requisites
Third party applications are supported for the following Junos OS Evolved releases:
-
Junos OS Evolved release 20.1R1 and later for applications in containers.
-
Junos OS Evolved release 22.4R1 and later for native applications.
-
Junos OS Evolved release 23.2R1 and later for dual Routing Engine applications.
Applications must support the Linux kernel version running on Junos OS Evolved to
work properly. Use the show version
command to view the currently
running Linux kernel version.
Applications written for Junos OS Evolved typically require the ability to read and modify the networking state, to send and receive packets, and to read and modify the configuration. Junos OS Evolved supports a limited number of APIs, so applications must be configured with these APIs in mind.
Application APIs
There are two categories of APIs used by applications:
-
Linux APIs for reading and modifying the networking state, and sending and receiving packets.
-
Juniper APIs for interacting with the system.
Junos OS Evolved supports these two categories of APIs. Table 1 provides a high-level view of the set of APIs used by applications:
API |
Functionality |
Packet IO and Linux socket APIs |
Ability to send and receive packets over mgmt and/or data interfaces. Standard libc – send, receive, listen, etc. |
Ability to use rtnetlink to query networking state like interfaces, routes, etc. |
|
Ability to configure network devices. |
|
Ability to query kernel data structures using standard interfaces provided by Linux kernel. |
|
Junos APIs |
Ability to access Juniper Northbound APIs - NetConf/JET/Telemetry. |
For more information on Juniper Northbound APIs, see the following:
Security Caveats
Junos OS Evolved is designed from the ground up with security in mind. IMA and Linux containers help to control the security impact of third-party applications on Junos OS Evolved, but third-party applications still have the potential to introduce security vulnerabilities through malicious code.
Always consider the security implications of adding a third-party application to Junos OS Evolved. Make sure any applications you add to Junos OS Evolved are thoroughly vetted for potential security risks.
File Security with IMA
Network devices that run Junos OS Evolved are protected by an integrity solution called Integrity Measurement Architecture (IMA).
Integrity is a fundamental security property that represents trust, completeness, and freedom from alteration. In computer security, common targets for integrity protections are operating system files. A common method of ensuring integrity is to compare a file against a known good file.
In the context of Junos OS Evolved, the security goal is to ensure that the software running on a device has not been accidentally or maliciously altered. The software running on a device is either authentic Junos software from Juniper Networks or authorized software deployed by a customer.
The threat model for network devices includes attempts by malicious actors to deploy malware that violates either the implicit or explicit policies of device owners. Such malware could include back doors, Trojan horses, or implants that could adversely the safe and secure operation of devices or networks. Malicious actors use a variety of tools, techniques, and procedures to breach integrity including physical attacks, local attacks, and remote attacks.
Many regulatory schemes levy file integrity requirements, including PCI-DSS - Payment Card Industry Data Security Standard (Requirement 11.5), SOX - Sarbanes-Oxley Act (Section 404), NERC CIP - NERC CIP Standard (CIP-010-2), FISMA - Federal Information Security Management Act (NIST SP800-53 Rev3), HIPAA - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66) and the SANS Critical Security Controls (Control 3).
In order to ensure file integrity and to mitigate the malware risk, Junos OS Evolved runs IMA, and a companion mechanism: the Extended Verification Module (EVM). These open source protections are part of a set of Linux Security Modules that are industry-standard and consistent with the trust mechanisms specified by the Trusted Computing Group.
Juniper Networks applies digital signatures to Junos OS Evolved files, and allows customers to apply digital signatures as well. Digital signatures are created using protected private keys, and then verified using public keys embedded into one or more keyrings.
The IMA/EVM subsystem protects the system by performing run-time checks. If a file fails verification, it is not opened or executed.
That means that unverified software is blocked on a device running Junos OS Evolved.