JUEX-L2-000040 - The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.

Information

DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

A Junos OS classifier identifies and separates traffic flows and provides the means to prioritize traffic later in the class-of-service (CoS) process. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NE).

A behavior aggregate (BA) classifier performs this function by associating discriminating values with forwarding classes and loss priorities. Unless overridden, Junos OS applies the default CoS to all interfaces. Junos OS provides multiple predefined BA classifier types, which the site can combine and supplement with custom CoS configuration as needed to achieve overall traffic classification goals.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Configure and enable a CoS policy using the commands in the example stanza below.
2. Replace the variables in the example commands with meaningful, site-specific names, rates, and values that are appropriate for the target environment. Operational test the settings.
3. Configure queues for each type of traffic based on the priorities established in the site's SSP.

Note: The following example configured DSCP. However, other BA classifier types may also be configured to implement the site's QoS requirements. Refer to the vendor documentation.

user@host# set class-of-service classifiers dscp <classifier name> import default
user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req'd forwarding class name> loss-priority <low|high> code-points <DSCP code point>
user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req'd forwarding class name> loss-priority <low|high> code-points <DSCP code point> (optional - only if multiple DSCP values are used)
user@host# set class-of-service interfaces <interface name> scheduler-map <scheduler map name>
user@host# set class-of-service interfaces <interface name> unit <unit number> classifiers dscp <classifier name>
user@host# set class-of-service interfaces <uplink interface> scheduler-map <scheduler map name>
user@host# set class-of-service interfaces <uplink interface> unit <unit number> classifiers dscp <classifier name>
user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class besteffort scheduler <scheduler name> (e.g., be-scheduler)
user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class <req'd forwarding class> scheduler <scheduler name> (e.g., ef-scheduler)
user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class networkcontrol scheduler <scheduler name> (e.g. nc-scheduler)
user@host# set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> | percent (0..100) | remainder)
user@host# set class-of-service schedulers <be-scheduler name> priority (high | low | medium-high | medium-low | strict-high)
user@host# set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100)
user@host# set class-of-service schedulers <ef-scheduler name> priority (high | low | medium-high | medium-low | strict-high)
user@host# set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100)
user@host# set class-of-service schedulers <nc-scheduler name> priority (high | low | medium-high | medium-low | strict-high)
user@host# commit

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, CCI|CCI-004866, Rule-ID|SV-253951r1028750_rule, STIG-ID|JUEX-L2-000040, Vuln-ID|V-253951

Plugin: Juniper

Control ID: 43e7d5cb74c3f1e0aeedcf9bd330e4800f1c17628080d2f6ddfd1b2f99f32e04