JUEX-RT-000180 - The Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.

Information

ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP; thereby creating a backdoor connection from the internet to the NIPRNet.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This requirement is not applicable for the DODIN Backbone.

Remove BGP neighbors belonging to the alternate gateway service provider.

delete protocols bgp group <name> neighbor <peer AS belonging to alternate gateway service provider>

Configure a static route on the perimeter router to reach the AS of a router connecting to an alternate gateway.

set routing-options rib inet6.0 static route <IPv6 subnet>/<prefix> next-hop <peer AS router>
set routing-options static route <IPv4 subnet>/<mask> next-hop <peer AS router>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|I, CCI|CCI-001414, Rule-ID|SV-253990r844003_rule, STIG-ID|JUEX-RT-000180, Vuln-ID|V-253990

Plugin: Juniper

Control ID: 66d028470cb9eebea0f9515afd4fd4ac9559be3d67663f32da55f1676306b440