JUEX-RT-000590 - The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

Information

The Routing Engine (RE) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RE or the control and management planes can result in mission-critical network outages.

A DoS attack targeting the RE can result in excessive CPU and memory utilization. To maintain network stability and RE security, the router must be able to handle specific control plane and management plane traffic that is destined to the RE. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RE from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Implement control plane protection by classifying traffic types based on importance and configure filters to restrict and rate limit the traffic directed to and processed by the RE according to each class.

set firewall family inet filter <name> term accept-tcp-initial from source-prefix-list management-networks-ipv4
set firewall family inet filter <name> term accept-tcp-initial from destination-prefix-list router-addresses-ipv4
set firewall family inet filter <name> term accept-tcp-initial from protocol tcp
set firewall family inet filter <name> term accept-tcp-initial from destination-port ssh
set firewall family inet filter <name> term accept-tcp-initial from tcp-initial
set firewall family inet filter <name> term accept-tcp-initial then policer policer-32k
set firewall family inet filter <name> term accept-tcp-initial then accept
set firewall family inet filter <name> term accept-ssh from source-prefix-list management-networks-ipv4
set firewall family inet filter <name> term accept-ssh from destination-prefix-list router-addresses-ipv4
set firewall family inet filter <name> term accept-ssh from protocol tcp
set firewall family inet filter <name> term accept-ssh from destination-port ssh
set firewall family inet filter <name> term accept-ssh then policer policer-1g
set firewall family inet filter <name> term accept-ssh then count accept-ssh
set firewall family inet filter <name> term accept-ssh then accept
set firewall family inet filter <name> term accept-snmp from source-prefix-list snmp-servers-ipv4
set firewall family inet filter <name> term accept-snmp from destination-prefix-list router-addresses-ipv4
set firewall family inet filter <name> term accept-snmp from protocol udp
set firewall family inet filter <name> term accept-snmp from destination-port snmp
set firewall family inet filter <name> term accept-snmp then policer policer-1m
set firewall family inet filter <name> term accept-snmp then count accept-snmp
set firewall family inet filter <name> term accept-snmp then accept
<additional terms>
set firewall family inet filter <name> term default-deny then log
set firewall family inet filter <name> term default-deny then syslog
set firewall family inet filter <name> term default-deny then discard

set firewall policer policer-1g if-exceeding bandwidth-limit 1g
set firewall policer policer-1g burst-size-limit 100k
set firewall policer policer-1g then discard
set firewall policer policer-1m if-exceeding bandwidth-limit 1m
set firewall policer policer-1m burst-size-limit 15k
set firewall policer policer-1m then discard
set firewall policer policer-32k if-exceeding bandwidth-limit 132k
set firewall policer policer-32k burst-size-limit 1500
set firewall policer policer-32k then discard

set interfaces lo0 unit <number> family inet filter <name>
set interfaces lo0 unit <number> family inet address <IPv4 address>/32
set interfaces lo0 unit <number> family inet6 filter <name>
set interfaces lo0 unit <number> family inet6 address <IPv6 address>/128

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, CCI|CCI-004866, Rule-ID|SV-254031r997533_rule, STIG-ID|JUEX-RT-000590, Vuln-ID|V-254031

Plugin: Juniper

Control ID: 31d2ed5a53106ca85f6725bd6644f41b709bfde25abf17571a68d0a4d959f2e9