STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019: The Juniper router must be configured to restrict traffic destined to itself.

DISA Rule

SV-101033r2_rule

Vulnerability Number

V-90823

Group Title

SRG-NET-000205-RTR-000001

Rule Version

JUNI-RT-000130

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the router’s receive path filters to restrict traffic destined to the router.

Configure a filter to define what traffic should be received by the Routing Engine.

[edit firewall family inet]
set filter DESTINED_TO_RP term FILTER_TCP from destination-address 11.1.12.0/24
set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port ssh
set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port tacacs
set filter DESTINED_TO_RP term FILTER_TCP then accept
set filter DESTINED_TO_RP term FILTER_UDP from destination-address 11.1.12.0/24
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port ntp
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port snmp
set filter DESTINED_TO_RP term FILTER_UDP then accept
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp then accept
set filter DESTINED_TO_RP term DENY_BY_DEFAULT then log discard

Apply the filter to the loopback interface.

[edit interfaces lo0 unit 0 family inet]
set filter input-list DESTINED_TO_RP.

Check Contents

Review the filter for the router’s receive path and verify that it will only allow specific management plane traffic from specific sources.

Verify filter has been configured as shown in the example below.

firewall {
family inet {



}
filter DESTINED_TO_RE {
term ALLOW_OSPF {
from {
protocol ospf;
}
then accept;
}
term ALLOW_BGP {
from {
source-address {
11.1.12.1/32;
11.1.23.3/32;
11.1.25.5/32;
}
protocol tcp;
port bgp;
}
}
term FILTER_TCP {
from {
destination-address {
11.1.12.0/24;
}
protocol tcp;
destination-port [ ssh tacacs telnet ];
}
then accept;
}
term FILTER_UDP {
from {
destination-address {
11.1.12.0/24;
}
protocol udp;
destination-port [ntp snmp ];
}
then accept;
}
term ICMP_ANY {
from {
protocol icmp;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

Verify that the input filter has been applied to loopback interface as shown in the example below.

interfaces {



lo0 {
unit 0 {
family inet {
filter {
input-list [ DESTINED_TO_RE CoPP_Policy ];
}
address 2.2.2.2/32;
}
}
}
}

If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding

Vulnerability Number

V-90823

Documentable

False

Rule Version

JUNI-RT-000130

Severity Override Guidance

Review the filter for the router’s receive path and verify that it will only allow specific management plane traffic from specific sources.

Verify filter has been configured as shown in the example below.

firewall {
family inet {



}
filter DESTINED_TO_RE {
term ALLOW_OSPF {
from {
protocol ospf;
}
then accept;
}
term ALLOW_BGP {
from {
source-address {
11.1.12.1/32;
11.1.23.3/32;
11.1.25.5/32;
}
protocol tcp;
port bgp;
}
}
term FILTER_TCP {
from {
destination-address {
11.1.12.0/24;
}
protocol tcp;
destination-port [ ssh tacacs telnet ];
}
then accept;
}
term FILTER_UDP {
from {
destination-address {
11.1.12.0/24;
}
protocol udp;
destination-port [ntp snmp ];
}
then accept;
}
term ICMP_ANY {
from {
protocol icmp;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

Verify that the input filter has been applied to loopback interface as shown in the example below.

interfaces {



lo0 {
unit 0 {
family inet {
filter {
input-list [ DESTINED_TO_RE CoPP_Policy ];
}
address 2.2.2.2/32;
}
}
}
}

If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding

Check Content Reference

M

Target Key

3387

Comments