Detections
Analytics

2.1 Ensure firewall filter is set for inbound traffic to the Routing Engine

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Traffic to the Routing Engine should be filtered.

Rationale:
JUNOS routers can provide a wide range of services to the network and, as with any computer system, the more services that are offered and the more hosts to which they are available, the wider attack surface is offered to a potential attacker.
To protect the router from attack a Firewall Filter should be applied to all inbound traffic to the Routing Engine which limits the hosts able to connect to the router and the services on which they are permitted to connect.
Permitted traffic should be logged in most cases, although for some protocols this may produce excessive load on the router so the impact of logging should be considered before it is applied.
If applied to the lo0 interface the filter will apply to all traffic sent to the Routing Engine. See Require Inbound Firewall Filter on Loopback Interface (Level 2, Not Scorable) for details of how to apply the filter.
Where the router processes IPv6 traffic a filter will be required for family inet6 in addition to the family inet filter example shown below.
NOTE : The Firewall Filter applies to ALL traffic sent to the Routing Engine, including traffic sent to the routers interface addresses. Ensure your firewall filter allows all of the Routing, Management and other protocols which are required for normal operation prior to applying the filter.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To create a firewall filter enter the following command from the [edit firewall] hierarchy.
[edit firewall]
user@host#edit family inet
[edit firewall family inet]
user@host#edit filter <filter name>
[edit firewall family inet filter <filter name>]
user@host#edit term <term name>
[edit firewall family inet filter <filter name> term <term name>]
user@host#set from <match conditions>
user@host#set then <action>
The following example filter allows SSH from 192.168.1.0/24 and OSPF from 10.0.0.0/8 while (implicitly) denying all other traffic:
firewall {
 family inet {
 filter ProtectRE {
 term AllowOSPF {
 from {
 protocol ospf;
 source-address 10.0.0.0/8;
 }
 then {
 accept;
 }
 }
 term AllowSSH {
 from {
 protocol tcp;
 source-address 192.168.1.0/24;
 destination-port ssh;
 }
 then {
 accept;
 log;
 syslog;
 }
 }
 }
 }
}

Default Value:
No firewall filters are configured by default.

See Also

https://workbench.cisecurity.org/files/2278

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|12.4

Plugin: Juniper

Control ID: c75cc36fc3262c3433f52002a5e793436744e975377fb63c9ef432ea2da458dc