2.6 Ensure firewall filters contain explicit deny and log term

Information

Filters should include a final Deny and Log term.

Rationale:

Firewall filters are built up of one or more terms, which are evaluated in order until either one is matched (at which point the terms then action is taken) or the final term has been evaluated, at which point the default action is to discard the packet.

It is important to log packets which are denied by the firewall filter, these may indicate an attempted attack or could suggest a problem in the network or with the firewall filter itself.

A term should be added to the end of the each firewall filter which logs the packet header information and blocks the packet. The discard method is used to block the packet silently, with no message sent back to the source, denying the attacker information and limiting resource usage on the router.

Impact:

Firewall Filters should be carefully tested before implementation on production systems as incorrect configuration may prevent normal services functioning.

It is strongly recommended that changes to Firewall Filters are applied using commit confirmed so that changes will be automatically rolled back should they prevent the administrator from connecting to the Junos Device.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To create a firewall filter term enter the following command from the [edit firewall family <family> filter <filter name>] hierarchy.

[edit firewall family inet filter <filter name>]
user@host#set term <term name> then discard
user@host#set term <term name> then syslog
user@host#set term <term name> then log

Default Value:

No firewall filters are configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Juniper

Control ID: 683d77e4f7f6d7698263234b9c4f311d514010ca6dbb39c4e07f5a88ab30c5c4