STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to have all non-essential capabilities disabled.

DISA Rule

SV-217017r639663_rule

Vulnerability Number

V-217017

Group Title

SRG-NET-000131-RTR-000035

Rule Version

JUNI-RT-000070

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Remove unneeded services and functions from the router as shown below.

[edit system services]
delete telnet
[edit system services]
delete finger
[edit system services]
delete ftp

Check Contents

Review the router configuration to determine if services not required for operation are enabled. Services such as finger, ftp, telnet must never be enabled; hence, they should not be shown under the system services hierarchy.

If J-web is not used for administrative access, the web-management services must not be configured as shown below.

If DHCP server is not being deployed on the router, the command dhcp-local-server must not be configured as shown below.

system {



services {
web-management {
https {
interface ge-0/0/0.0;
}
}
finger;
ftp;
ssh {
protocol-version v2;
macs [ hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 ];
}
telnet;
netconf {
ssh;
}
dhcp-local-server {
group DHCP_GROUP {
interface ge-0/1/0.0;
}
}
}

If unnecessary services and functions are enabled on the router, this is a finding.

Vulnerability Number

V-217017

Documentable

False

Rule Version

JUNI-RT-000070

Severity Override Guidance

Review the router configuration to determine if services not required for operation are enabled. Services such as finger, ftp, telnet must never be enabled; hence, they should not be shown under the system services hierarchy.

If J-web is not used for administrative access, the web-management services must not be configured as shown below.

If DHCP server is not being deployed on the router, the command dhcp-local-server must not be configured as shown below.

system {



services {
web-management {
https {
interface ge-0/0/0.0;
}
}
finger;
ftp;
ssh {
protocol-version v2;
macs [ hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 ];
}
telnet;
netconf {
ssh;
}
dhcp-local-server {
group DHCP_GROUP {
interface ge-0/1/0.0;
}
}
}

If unnecessary services and functions are enabled on the router, this is a finding.

Check Content Reference

M

Target Key

4032

Comments