JUEX-RT-000380 - The Juniper router must be configured to restrict traffic destined to itself.

Information

The routing engine (RE) handles traffic destined to the router-the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the RE can result in mission critical network outages.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure all routers with receive path filters to restrict traffic destined to the router.

Example prefix lists for management networks and the device management address(es):
set prefix-list auth_mgt_networks-ipv4 <IPv4 subnet / mask>
set prefix-list auth_mgt_networks-ipv6 <IPv6 subnet / mask>
set prefix-list device_mgt_address-ipv4 <IPv4 address>/32
set prefix-list device_mgt_address-ipv6 <IPv6 address>/128

Example firewall filters:
set firewall family inet filter protect_re-ipv4 term 1 from source-prefix-list auth_mgt_networks-ipv4
set firewall family inet filter protect_re-ipv4 term 1 from destination-prefix-list device_mgt_address-ipv4
set firewall family inet filter protect_re-ipv4 term 1 from <additional match criteria>
set firewall family inet filter protect_re-ipv4 term 1 then accept
set firewall family inet filter protect_re-ipv4 term <additional permit terms>
set firewall family inet filter protect_re-ipv4 term default then log
set firewall family inet filter protect_re-ipv4 term default then syslog
set firewall family inet filter protect_re-ipv4 term default then discard

set firewall family inet6 filter protect_re-ipv6 term 1 from source-prefix-list auth_mgt_networks-ipv6
set firewall family inet6 filter protect_re-ipv6 term 1 from destination-prefix-list device_mgt_address-ipv6
set firewall family inet6 filter protect_re-ipv6 term 1 from <additional match criteria>
set firewall family inet6 filter protect_re-ipv6 term 1 then accept
set firewall family inet6 filter protect_re-ipv6 term <additional permit terms>
set firewall family inet6 filter protect_re-ipv6 term default then log
set firewall family inet filter protect_re-ipv6 term default then syslog
set firewall family inet filter protect_re-ipv6 term default then discard

Example application on loopback:
set interfaces lo0 unit 0 family inet filter input protect_re-ipv4
set interfaces lo0 unit 0 family inet address <IPv4 address>/32
set interfaces lo0 unit 0 family inet6 filter input protect_re-ipv6
set interfaces lo0 unit 0 family inet6 address <IPv6 address>/128

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|I, CCI|CCI-001097, CCI|CCI-004866, Rule-ID|SV-254010r997524_rule, STIG-ID|JUEX-RT-000380, Vuln-ID|V-254010

Plugin: Juniper

Control ID: 3c21988f4d667ce0f5c45e29d02f5c44e3ad5034c9133350fe9c25acf9d14294