2.3 Ensure 'Protect RE' Firewall filter includes Rate-Limiting for Management Services terms

Information

Policers should be applied to Management Services

Rationale:

Junos supports a wide range of Management, Monitoring and Automation Services, making it an extremely flexible and adaptable platform. However, as with any computer system, the more services that are offered and the more hosts to which they are available, the wider attack surface is offered to a potential attacker.

An attacker, or a misconfigured or failing management server, might flood a service on the Junos device with excessive traffic in a Denial of Service (or DoS) attack; resulting in increased load and potentially even a failure of the service or targeted device.

To prevent this Rate-limiting can be applied to the Firewall Filter Terms already configured for Management Services in Recommendation 2.1 - Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management Services by configuring a policer as appropriate for the service.

In some environments, it may also be appropriate to configure policers for Routing Protocols or other Services, although this is less common practice and can lead to unstable network conditions without careful design and testing.

A full discussion of how Rate-limiting is configured and implemented in Junos, and across different specific chipsets and platforms, is beyond the scope of this Benchmark. The Junos DayOne books Deploying Basic QoS and Hardening Junos Devices, 2nd Edition are available for Free from the Juniper website and provide excellent coverage of QoS/CoS techniques and the application of Rate-limiting to Firewall Filters respectively.

Impact:

Firewall Filters should be carefully tested before implementation on production systems as incorrect configuration may prevent normal services functioning.

It is strongly recommended that changes to Firewall Filters are applied using commit confirmed so that changes will be automatically rolled back should they prevent the administrator from connecting to the Junos Device.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

A full discussion of Firewall Filters is beyond the scope of this Benchmark.
It is important to ensure that Firewall Filters include terms to match and accept all of your required Routing Protocols, Management Services and any other services used on your Junos Device. As noted elsewhere, it is strongly recommended that changes to Firewall Filters applied to the Loopback interface always be applied using commit confirmed so that the change will be automatically rolled back should the administrator lose connection after committing the change.
In this example we will add Rate-Limiting to the Management Services terms configured in Recommendation 2.2 Ensure 'Protect RE' Firewall Filter includes explicit terms for all Management Services Draft using the following commands from the [edit firewall] hierarchy:
First we need to create the two 'policer' definitions, which can be re-used in multiple terms of filters.

[edit firewall]
mwhite@SRX1# set policer limit-10m if-exceeding bandwidth-limit 10m
mwhite@SRX1# set policer limit-10m if-exceeding burst-size-limit 625k
mwhite@SRX1# set policer limit-10m then discard
mwhite@SRX1# set policer limit-1m if-exceeding bandwidth-limit 1m
mwhite@SRX1# set policer limit-1m if-exceeding burst-size-limit 15k
mwhite@SRX1# set policer limit-1m then discard

These policers set a bandwidth-limit of 10Mb/s and 1Mb/s respectively, with an appropriate burst-size set on each proportional to the configured limit to allow bursts to briefly exceed the limit and smooth the impact of the policer on the service.
The limit-10m policer is then applied to both the AcceptSSH and AcceptHTTPS terms in the CIS-Example-IPv4 configured previously. The policer applies separately for each term, so SSH and HTTPS can receive 10Mb/s of traffic each, not a combined 10Mb/s between them.

[edit firewall]
mwhite@SRX1# set family inet filter CIS-Example-IPv4 term AcceptSSH then policer limit-10m
mwhite@SRX1# set family inet filter CIS-Example-IPv4 term AcceptHTTPS then policer limit-10m

Finally, we apply the lower 'limit-1m' 1Mb/s policer to the existing AcceptSNMP term:

[edit firewall]
mwhite@SRX1# set family inet filter CIS-Example-IPv4 term AcceptSNMP then policer limit-1m

If it is not already, the filter can now be applied to the Loopback interface, using the following command from the [edit interfaces] hierarchy:

[edit interfaces]
mwhite@SRX1# set unit 0 family inet filter input CIS-Example-IPv4

Note - The example filter above not complete and may not be suitable for all environments - all other traffic to the Junos Device will be discarded.
Your filters should include terms for all of the Management, Monitoring and Automation services, as well as any Routing Protocols or other services such as IPSEC or BFD in use in your network.

Default Value:

No firewall filters are configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9, CSCv7|9.4

Plugin: Juniper

Control ID: ffdce04ef6e331ee53acafbec05157e132a858c73f505832a255d1f705a851d9