3.10 Ensure inbound firewall filter is set for Loopback interface

Information

A Firewall Filter should be applied to lo0.

Rationale:
JUNOS routers can provide a wide range of services to the network and, as with any computer system, the more services that are offered and the more hosts they are available to, the wider attack surface is offered to a potential attacker.
To protect the router from attack a Firewall Filter should be applied to all inbound traffic to the Routing Engine which limits the hosts able to connect to the router and the services on which they are permitted to connect.
If applied to the lo0interface the filter will apply to all traffic sent to the Routing Engine rather than to traffic traversing the router. Where IPv6 traffic is also handled by the router a firewall filter will also need to be applied for family inet 6.
See the Firewall section for details of how to configure Firewall Filters.
NOTE : The Firewall Filter applies to ALL traffic sent to the Routing Engine, including traffic sent to the routers interface addresses. Ensure your firewall filter allows all of the Routing, Management and other protocols which are required for normal operation prior to applying the filter.

Solution

To apply a firewall filter to the loopback interface enter the following command from the [edit interfaces] hierarchy:
[edit interfaces]
user@host#set lo0 unit 0 family inet filter input <filter name>

Default Value:
No firewall filters are configured by default.

See Also

https://workbench.cisecurity.org/files/2278

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CSCv7|9.1

Plugin: Juniper

Control ID: 16f751310ba5b3897f5e15758a3cf5370212cf7ffa1f3534ea0856eed8de753b