STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019: The Juniper router must be configured to implement message authentication for all control plane protocols.

DISA Rule

SV-101019r1_rule

Vulnerability Number

V-90809

Group Title

SRG-NET-000025-RTR-000020

Rule Version

JUNI-RT-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure authentication to be enabled for all control plane protocols as shown in the example below.

[edit protocols ospf area 0.0.0.0]
set interface ge-0/0/0 authentication simple-password xxxxxxxxxxxx
set interface ge-0/1/0 authentication simple-password xxxxxxxxxxxx
set interface ge-0/2/0 authentication simple-password xxxxxxxxxxxx

[edit protocols isis]
set level 1 authentication-type md5
set level 1 authentication-key xxxxxxxx
set level 2 authentication-type md5
set level 2 authentication-key xxxxxxxx

[edit protocols rip]
set authentication-type md5
set authentication-key xxxxxxxx

[edit protocols bgp group AS_2 neighbor x.x.x.x]
set authentication-key xxxxxxxxxxxxxxx

[edit protocols ldp]
set session 10.1.2.2 authentication-key xxxxxxxxxx

Check Contents

Review the router configuration. Verify that neighbor router authentication is enabled for all routing protocols as shown in the example configuration below.

protocols {
bgp {
group AS_5 {
type external;
peer-as 5;
neighbor x.x.x.x {
authentication-key "$8$tBga0ORx7VsYoIEgJ"; ## SECRET-DATA
}
}
}
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0 {
authentication {
simple-password "$8$NHVb2mPQ3nCYg/t"; ## SECRET-DATA
}
}
interface ge-0/1/0.0 {
authentication {
simple-password "$8$Lgb7NbHkPTQnVwF/"; ## SECRET-DATA
}
}
interface lo0.0;
interface ge-0/2/0.0 {
authentication {
simple-password "$8$7DdVY.mTF39s26A"; ## SECRET-DATA
}
}
}
}
isis {
level 1 {
authentication-key "$8$n2OT9CuvMXN-wp0VY"; ## SECRET-DATA
authentication-type md5;
}
level 2 {
authentication-key "$8$8G9x7ViHm5T3dbz6"; ## SECRET-DATA
authentication-type md5;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
ldp {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
session 10.3.3.3 {
authentication-key "$8$3hus/u1ylMNVYX7qf"; ## SECRET-DATA
}
session 10.1.2.2 {
authentication-key "$8$Qq0I3nCrlMLX-9A7V"; ## SECRET-DATA
}
}
rip {
authentication-type md5;
authentication-key "$8$34fM/u1ylMNVYX7qf"; ## SECRET-DATA
group RIP_GROUP {
neighbor ge-1/0/1.0;
}
}
}

If authentication is not enabled for all control plane protocols, this is a finding.

Vulnerability Number

V-90809

Documentable

False

Rule Version

JUNI-RT-000020

Severity Override Guidance

Review the router configuration. Verify that neighbor router authentication is enabled for all routing protocols as shown in the example configuration below.

protocols {
bgp {
group AS_5 {
type external;
peer-as 5;
neighbor x.x.x.x {
authentication-key "$8$tBga0ORx7VsYoIEgJ"; ## SECRET-DATA
}
}
}
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0 {
authentication {
simple-password "$8$NHVb2mPQ3nCYg/t"; ## SECRET-DATA
}
}
interface ge-0/1/0.0 {
authentication {
simple-password "$8$Lgb7NbHkPTQnVwF/"; ## SECRET-DATA
}
}
interface lo0.0;
interface ge-0/2/0.0 {
authentication {
simple-password "$8$7DdVY.mTF39s26A"; ## SECRET-DATA
}
}
}
}
isis {
level 1 {
authentication-key "$8$n2OT9CuvMXN-wp0VY"; ## SECRET-DATA
authentication-type md5;
}
level 2 {
authentication-key "$8$8G9x7ViHm5T3dbz6"; ## SECRET-DATA
authentication-type md5;
}
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
ldp {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
session 10.3.3.3 {
authentication-key "$8$3hus/u1ylMNVYX7qf"; ## SECRET-DATA
}
session 10.1.2.2 {
authentication-key "$8$Qq0I3nCrlMLX-9A7V"; ## SECRET-DATA
}
}
rip {
authentication-type md5;
authentication-key "$8$34fM/u1ylMNVYX7qf"; ## SECRET-DATA
group RIP_GROUP {
neighbor ge-1/0/1.0;
}
}
}

If authentication is not enabled for all control plane protocols, this is a finding.

Check Content Reference

M

Target Key

3387

Comments