JUEX-NM-000530 - The Juniper EX switch must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

Information

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of network devices to mitigate the impact of DoS attacks that have occurred or are ongoing on device availability. For each network device, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the device opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

The security safeguards cannot be defined at the DoD-level because they vary according to the capabilities of the individual network devices and the security controls applied on the adjacent networks (for example, firewalls performing packet filtering to block DoS attacks).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the network device to protect against or limit the effects of all known types of DoS attacks by employing organization-defined security safeguards.

SSH example:
set system services ssh connection-limit <1..250>
set system services ssh rate-limit <1..250>

NETCONF over SSH example:
set system services netconf ssh connection-limit <1..250>
set system services netconf ssh rate-limit <1..250>

Example firewall filters:
set firewall family inet filter <filter name> term 1 from destination-address <device OOBM or loopback address>
set firewall family inet filter <filter name> term 1 from source-prefix-list <management address list name>
set firewall family inet filter <filter name> term 1 from protocol tcp
set firewall family inet filter <filter name> term 1 from destination-port 22
set firewall family inet filter <filter name> term 1 from tcp-initial
set firewall family inet filter <filter name> term 1 then policer policer-32k
set firewall family inet filter <filter name> term 1 then syslog
set firewall family inet filter <filter name> term 1 then accept
set firewall family inet filter <filter name> term 2 from destination-address <device OOBM or loopback address>
set firewall family inet filter <filter name> term 2 from source-prefix-list <management address list name>
set firewall family inet filter <filter name> term 2 from protocol tcp
set firewall family inet filter <filter name> term 2 from destination-port 22
set firewall family inet filter <filter name> term 2 then syslog
set firewall family inet filter <filter name> term 2 then accept
set firewall family inet filter <filter name> term default then syslog
set firewall family inet filter <filter name> term default then discard
set firewall family inet6 filter <filter name-1> term 1 from destination-address <device OOBM or loopback address>
set firewall family inet6 filter <filter name-1> term 1 from source-prefix-list <management address list name-1>
set firewall family inet6 filter <filter name-1> term 1 from next-header tcp
set firewall family inet6 filter <filter name-1> term 1 from destination-port 22
set firewall family inet6 filter <filter name-1> term 1 from tcp-initial
set firewall family inet6 filter <filter name-1> term 1 then policer policer-32k
set firewall family inet6 filter <filter name-1> term 1 then syslog
set firewall family inet6 filter <filter name-1> term 1 then accept
set firewall family inet6 filter <filter name-1> term 2 from destination-address <device OOBM or loopback address>
set firewall family inet6 filter <filter name-1> term 2 from source-prefix-list <management address list name-1>
set firewall family inet6 filter <filter name-1> term 2 from next-header tcp
set firewall family inet6 filter <filter name-1> term 2 from destination-port 22
set firewall family inet6 filter <filter name-1> term 2 then syslog
set firewall family inet6 filter <filter name-1> term 2 then accept
set firewall family inet6 filter <filter name-1> term default then syslog
set firewall family inet6 filter <filter name-1> term default then discard

Example interface configuration:
set interfaces <OOBM interface> unit 0 family inet filter input <filter name>
set interfaces <OOBM interface> unit 0 family inet address <IPv4 address>/<mask>
set interfaces <OOBM interface> unit 0 family inet6 filter input <filter name-1>
set interfaces <OOBM interface> unit 0 family inet6 address <IPv6 address>/<prefix>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-253930r961620_rule, STIG-ID|JUEX-NM-000530, Vuln-ID|V-253930

Plugin: Juniper

Control ID: ec27c204bcb83f0fb78efce06d8a64e2b8be0ad11ea5329cfdd463629d99a591