4.2.6 Ensure PSNP authentication check is not set to suppressed

Information

IS-IS Neighbors should be authenticated.

Rationale:

Where it is deployed, IS-IS routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers IS-IS neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

On JUNOS routers it is possible to suppress some authentication features to aid integration with other vendors IS-IS implementations. One of these interoperability features allows you to configure the router to ignore authentication for Partial Sequence Number PDU (PSNP) messages from other routers. This potentially leaves the router open to attack through PSNP messages to the same extent as it would be were authentication not configured at all.

Solution

If you have deployed IS-IS in your network and have disabled PSNP authentication checking, re-enable it by issuing the following command from the [edit protocols isis] hierarchy for each level at which it was set:

[edit protocols isis]
user@host#delete level <level> no-psnp-authentication

Default Value:

No IS-IS routing is configured by default.

PSNP Authentication is not suppressed by default when IS-IS is configured

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: f7d9a2c057ad5799e09bdbc3b2da18a4472ea760b847e3e5efc082134dbd320f