JUEX-RT-000440 - The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

Information

IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity.

IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, nonoptimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Configure appropriate prefix lists and firewall filters. For example:
set policy-options prefix-list ipv4-core 192.0.2.0/24
set policy-options prefix-list ipv6-core 2001:db8:2::/64

set firewall family inet filter deny-core-ipv4 term 1 from destination-prefix-list ipv4-core
set firewall family inet filter deny-core-ipv4 term 1 then log
set firewall family inet filter deny-core-ipv4 term 1 then syslog
set firewall family inet filter deny-core-ipv4 term 1 then discard
set firewall family inet filter deny-core-ipv4 term default then accept
set firewall family inet6 filter deny-core-ipv6 term 1 from destination-prefix-list ipv6-core
set firewall family inet6 filter deny-core-ipv6 term 1 then log
set firewall family inet6 filter deny-core-ipv6 term 1 then syslog
set firewall family inet6 filter deny-core-ipv6 term 1 then discard
set firewall family inet6 filter deny-core-ipv6 term default then accept

Configure the appropriate interfaces with the firewall filter. For example:
[edit interfaces]
set interfaces ge-0/0/0 unit 0 family inet filter input deny-core-ipv4
set interfaces ge-0/0/0 unit 0 family inet address <IPv4 address/mask>
set interfaces ge-0/0/0 unit 0 family inet6 filter input deny-core-ipv6
set interfaces ge-0/0/0 unit 0 family inet6 address <IPv6 address/prefix>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|I, CCI|CCI-001097, CCI|CCI-004866, Rule-ID|SV-254016r997526_rule, STIG-ID|JUEX-RT-000440, Vuln-ID|V-254016

Plugin: Juniper

Control ID: 10cb143db796e1d6080c3992b8bcbdec5be3f54bc01d3c89fef5896b201c0c2b