JUEX-NM-000530 - The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

Information

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

The security safeguards cannot be defined at the DoD-level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.

SSH example:
set system services ssh connection-limit <1..250>
set system services ssh rate-limit <1..250>

NETCONF over SSH example:
set system services netconf ssh connection-limit <1..250>
set system services netconf ssh rate-limit <1..250>

Example firewall filters:
set firewall family inet filter <filter name> term 1 from destination-address <device OOBM or loopback address>
set firewall family inet filter <filter name> term 1 from source-prefix-list <management address list name>
set firewall family inet filter <filter name> term 1 from protocol tcp
set firewall family inet filter <filter name> term 1 from destination-port 22
set firewall family inet filter <filter name> term 1 from tcp-initial
set firewall family inet filter <filter name> term 1 then policer policer-32k
set firewall family inet filter <filter name> term 1 then syslog
set firewall family inet filter <filter name> term 1 then accept
set firewall family inet filter <filter name> term 2 from destination-address <device OOBM or loopback address>
set firewall family inet filter <filter name> term 2 from source-prefix-list <management address list name>
set firewall family inet filter <filter name> term 2 from protocol tcp
set firewall family inet filter <filter name> term 2 from destination-port 22
set firewall family inet filter <filter name> term 2 then syslog
set firewall family inet filter <filter name> term 2 then accept
set firewall family inet filter <filter name> term default then syslog
set firewall family inet filter <filter name> term default then discard
set firewall family inet6 filter <filter name-1> term 1 from destination-address <device OOBM or loopback address>
set firewall family inet6 filter <filter name-1> term 1 from source-prefix-list <management address list name-1>
set firewall family inet6 filter <filter name-1> term 1 from next-header tcp
set firewall family inet6 filter <filter name-1> term 1 from destination-port 22
set firewall family inet6 filter <filter name-1> term 1 from tcp-initial
set firewall family inet6 filter <filter name-1> term 1 then policer policer-32k
set firewall family inet6 filter <filter name-1> term 1 then syslog
set firewall family inet6 filter <filter name-1> term 1 then accept
set firewall family inet6 filter <filter name-1> term 2 from destination-address <device OOBM or loopback address>
set firewall family inet6 filter <filter name-1> term 2 from source-prefix-list <management address list name-1>
set firewall family inet6 filter <filter name-1> term 2 from next-header tcp
set firewall family inet6 filter <filter name-1> term 2 from destination-port 22
set firewall family inet6 filter <filter name-1> term 2 then syslog
set firewall family inet6 filter <filter name-1> term 2 then accept
set firewall family inet6 filter <filter name-1> term default then syslog
set firewall family inet6 filter <filter name-1> term default then discard

Example interface configuration:
set interfaces <OOBM interface> unit 0 family inet filter input <filter name>
set interfaces <OOBM interface> unit 0 family inet address <IPv4 address>/<mask>
set interfaces <OOBM interface> unit 0 family inet6 filter input <filter name-1>
set interfaces <OOBM interface> unit 0 family inet6 address <IPv6 address>/<prefix>

Item Details

Audit Name: DISA Juniper EX Series Network Device Management v1r5

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Plugin: Juniper

Control ID: 85f3e6895f467ff63387d14db8f8db77a4a6ff07fe8c9b3b9635d6271afe7774

Detections

Analytics

JUEX-NM-000530 - The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

Information

Solution

See Also

Item Details