JUEX-L2-000230 - The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces.

Information

Configuring user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic.

Access interfaces also behave differently than trunked interfaces, especially with respect to control plane traffic. For example, access interfaces can be marked as 'edge' for protocols like Rapid Spanning Tree (RSTP) or Multiple Spanning Tree (MSTP) where specific protections can be applied to prevent the switch from accepting Bridge Protocol Data Units (BPDU) from unauthorized sources and causing a network topology change or disruption. Additionally, network level protection mechanisms, like 802.1x or sticky-mac, are applied to access interfaces and these protection mechanisms help prevent unauthorized network access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Disable trunking on all user-facing or untrusted access interfaces.

Deleting interface-mode from the configuration automatically assigns mode access:
delete interfaces <interface name> unit 0 family ethernet-switching interface-mode

Explicitly configure mode access for a user-facing or untrusted interface:
set interfaces <interface name> unit 0 family ethernet-switching interface-mode access

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-253970r843943_rule, STIG-ID|JUEX-L2-000230, Vuln-ID|V-253970

Plugin: Juniper

Control ID: 6aad287ff2430704381c4c0a53229543b75987065868457bfa9054347d277797