STIGQter STIGQter: STIG Summary: Juniper Router NDM Security Technical Implementation Guide Version: 1 Release: 5 Benchmark Date: 24 Jul 2020:

The Juniper router must be configured to protect against known types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.

DISA Rule

SV-101273r1_rule

Vulnerability Number

V-91173

Group Title

SRG-APP-000435-NDM-000315

Rule Version

JUNI-ND-001210

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router protect against known types of DoS attacks on the route processor. Implementing a CoPP policy as shown in the example below is a best practice method.

Step 1: Configure policers for specific traffic types.

set firewall policer CRITICAL filter-specific
set firewall policer CRITICAL if-exceeding bandwidth-limit 4000000 burst-size-limit 1500
set firewall policer CRITICAL then discard
set firewall policer IMPORTANT filter-specific
set firewall policer IMPORTANT if-exceeding bandwidth-limit 512000 burst-size-limit 16000
set firewall policer IMPORTANT then discard
set firewall policer NORMAL filter-specific
set firewall policer NORMAL if-exceeding bandwidth-limit 64000 burst-size-limit 2000
set firewall policer NORMAL then discard
set firewall policer UNDESIRABLE filter-specific
set firewall policer UNDESIRABLE if-exceeding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer UNDESIRABLE then discard
set firewall policer ALL-OTHER filter-specific
set firewall policer ALL-OTHER if-exceeding bandwidth-limit 32000 burst-size-limit 1500
set firewall policer ALL-OTHER then discard

Step 2: Configure the CoPP filter by applying policers to the appropriate traffic types.

set firewall filter CoPP_Policy term CRITICAL from protocol ospf
set firewall filter CoPP_Policy term CRITICAL from protocol pim
set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp
set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp
set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL
set firewall filter CoPP_Policy term IMPORTANT from source-address 10.1.1.0/24
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp
set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp
set firewall filter CoPP_Policy term IMPORTANT then discard
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply
set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request
set firewall filter CoPP_Policy term NORMAL then policer NORMAL
set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp destination-port 1434
set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE
set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0
set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER

Step 3: Apply the CoPP filter to the loopback interface.

set interface lo0 unit 0 family inet filter input CoPP_Policy

Check Contents

Review the router configuration to verify that it is compliant with this requirement.

Step 1: Verify that the loopback interfaces has been configured with an input filter. The example below defined a control plane policing (CoPP) filter named CoPP_Policy.

interfaces {



lo0 {
unit 0 {
family inet {
filter {
input CoPP_Policy;
}
address 5.5.5.5/32;
}
}
}
}

Step 2: Verify that the filter will protect against DoS attacks.

firewall {



}
filter CoPP_Policy {
term CRITICAL {
from {
protocol [ ospf pim tcp ];
source-port bgp;
destination-port bgp;
}
then policer CRITICAL;
}
term IMPORTANT {
from {
source-address {
10.1.1.0/24;
}
protocol tcp;
destination-port [ ssh snmp ntp ];
}
then {
policer IMPORTANT;
discard;
}
}
term NORMAL {
from {
protocol icmp;
icmp-type [ echo-reply echo-request ];
icmp-code [ ttl-eq-zero-during-transit port-unreachable ];
}
then policer NORMAL;
}
term UNDESIRABLE {
from {
protocol udp;
destination-port 1434;
}
then policer UNDESIRABLE;
}
term ALL-OTHER {
from {
address {
0.0.0.0/0;
}
}
then policer ALL-OTHER;
}
}
}

Step 3: verify that policers configured will restrict bandwidth based on traffic types as shown in the example below.

firewall {



}
policer CRITICAL {
filter-specific;
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 1500;
}
then discard;
}
policer IMPORTANT {
filter-specific;
if-exceeding {
bandwidth-limit 512k;
burst-size-limit 16k;
}
then discard;
}
policer NORMAL {
filter-specific;
if-exceeding {
bandwidth-limit 64k;
burst-size-limit 2k;
}
then discard;
}
policer UNDESIRABLE {
filter-specific;
if-exceeding {
bandwidth-limit 32k;
burst-size-limit 1500;
}
then discard;
}
policer ALL-OTHER {
filter-specific;
if-exceeding {
bandwidth-limit 32k;
burst-size-limit 1500;
}
then discard;
}

If the router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

Vulnerability Number

V-91173

Documentable

False

Rule Version

JUNI-ND-001210

Severity Override Guidance

Review the router configuration to verify that it is compliant with this requirement.

Step 1: Verify that the loopback interfaces has been configured with an input filter. The example below defined a control plane policing (CoPP) filter named CoPP_Policy.

interfaces {



lo0 {
unit 0 {
family inet {
filter {
input CoPP_Policy;
}
address 5.5.5.5/32;
}
}
}
}

Step 2: Verify that the filter will protect against DoS attacks.

firewall {



}
filter CoPP_Policy {
term CRITICAL {
from {
protocol [ ospf pim tcp ];
source-port bgp;
destination-port bgp;
}
then policer CRITICAL;
}
term IMPORTANT {
from {
source-address {
10.1.1.0/24;
}
protocol tcp;
destination-port [ ssh snmp ntp ];
}
then {
policer IMPORTANT;
discard;
}
}
term NORMAL {
from {
protocol icmp;
icmp-type [ echo-reply echo-request ];
icmp-code [ ttl-eq-zero-during-transit port-unreachable ];
}
then policer NORMAL;
}
term UNDESIRABLE {
from {
protocol udp;
destination-port 1434;
}
then policer UNDESIRABLE;
}
term ALL-OTHER {
from {
address {
0.0.0.0/0;
}
}
then policer ALL-OTHER;
}
}
}

Step 3: verify that policers configured will restrict bandwidth based on traffic types as shown in the example below.

firewall {



}
policer CRITICAL {
filter-specific;
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 1500;
}
then discard;
}
policer IMPORTANT {
filter-specific;
if-exceeding {
bandwidth-limit 512k;
burst-size-limit 16k;
}
then discard;
}
policer NORMAL {
filter-specific;
if-exceeding {
bandwidth-limit 64k;
burst-size-limit 2k;
}
then discard;
}
policer UNDESIRABLE {
filter-specific;
if-exceeding {
bandwidth-limit 32k;
burst-size-limit 1500;
}
then discard;
}
policer ALL-OTHER {
filter-specific;
if-exceeding {
bandwidth-limit 32k;
burst-size-limit 1500;
}
then discard;
}

If the router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.

Check Content Reference

M

Target Key

3381

Comments