JUNI-RT-000130 - The Juniper router must be configured to restrict traffic destined to itself.

Information

The Routing Engine handles traffic destined to the router-the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or DoS attack to the Routing Engine can result in mission critical network outages.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the router's receive path filters to restrict traffic destined to the router.

Configure a filter to define what traffic should be received by the Routing Engine.

[edit firewall family inet]
set filter DESTINED_TO_RP term FILTER_TCP from destination-address 11.1.12.0/24
set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port ssh
set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port tacacs
set filter DESTINED_TO_RP term FILTER_TCP then accept
set filter DESTINED_TO_RP term FILTER_UDP from destination-address 11.1.12.0/24
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port ntp
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port snmp
set filter DESTINED_TO_RP term FILTER_UDP then accept
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp then accept
set filter DESTINED_TO_RP term DENY_BY_DEFAULT then log discard

Apply the filter to the loopback interface.

[edit interfaces lo0 unit 0 family inet]
set filter input-list DESTINED_TO_RP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|I, CCI|CCI-001097, Rule-ID|SV-217019r604135_rule, STIG-ID|JUNI-RT-000130, STIG-Legacy|SV-101033, STIG-Legacy|V-90823, Vuln-ID|V-217019

Plugin: Juniper

Control ID: 7b1415c5e52bb2814792b8b705897e84f5b878d988345e260ae0e9a963298e1f