STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019: The Juniper perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.

DISA Rule

SV-101065r1_rule

Vulnerability Number

V-90855

Group Title

SRG-NET-000019-RTR-000010

Rule Version

JUNI-RT-000300

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure the router so that static routes are not redistributed to an alternate gateway into either a BGP or any IGP peering with the NIPRNet or to any other autonomous systems. This can be done by excluding that route in the export policy as shown in the example below.

[edit policy-options policy-statement REDISTRIBUTE]
set term NOT_ISP_DEFAULT from protocol static route-filter 0.0.0.0/0 exact
set term NOT_ISP_DEFAULT then reject
insert term set term NOT_ISP_DEFAULT before term EXPORT_STATIC

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the configurations under the protocols hierarchy. If the export statement is configured as shown in the example below proceed to step 2.

}
protocols {
bgp {
group AS_5 {
type external;
export REDISTRIBUTE;
peer-as 5;



}
}
}
ospf {
export REDISTRIBUTE;
area 0.0.0.0 {
interface ge-0/0/0 {



}
}
}
}

Review the export policy referenced above to determine if static routes are being exported as shown in the example below.

policy-options {



}
policy-statement REDISTRIBUTE {
term EXPORT_STATIC {
from protocol static;
then accept;
}
}
}

Review the static routes that have been configured to determine if there routes with the next hop address that of the alternate gateway.

routing-options {
static {
route 10.1.16.0/24 next-hop 10.1.12.1;
route 0.0.0.0/0 next-hop 144.22.1.3;
}

If the static routes to the alternate gateway are being redistributed into BGP or any IGP peering to a NIPRNet gateway or any other autonomous system, this is a finding.

Vulnerability Number

V-90855

Documentable

False

Rule Version

JUNI-RT-000300

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the configurations under the protocols hierarchy. If the export statement is configured as shown in the example below proceed to step 2.

}
protocols {
bgp {
group AS_5 {
type external;
export REDISTRIBUTE;
peer-as 5;



}
}
}
ospf {
export REDISTRIBUTE;
area 0.0.0.0 {
interface ge-0/0/0 {



}
}
}
}

Review the export policy referenced above to determine if static routes are being exported as shown in the example below.

policy-options {



}
policy-statement REDISTRIBUTE {
term EXPORT_STATIC {
from protocol static;
then accept;
}
}
}

Review the static routes that have been configured to determine if there routes with the next hop address that of the alternate gateway.

routing-options {
static {
route 10.1.16.0/24 next-hop 10.1.12.1;
route 0.0.0.0/0 next-hop 144.22.1.3;
}

If the static routes to the alternate gateway are being redistributed into BGP or any IGP peering to a NIPRNet gateway or any other autonomous system, this is a finding.

Check Content Reference

M

Target Key

3387

Comments