STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

DISA Rule

SV-217020r639663_rule

Vulnerability Number

V-217020

Group Title

SRG-NET-000205-RTR-000002

Rule Version

JUNI-RT-000140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below.

[edit firewall family inet filter DESTINED_TO_RP]
set term BLOCK_ICMP_FRAG from protocol icmp is-fragment
set term BLOCK_ICMP_FRAG then discard
insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT

Check Contents

Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below.

firewall {
family inet {



}
filter DESTINED_TO_RE {



}
term BLOCK_ICMP_FRAG {
from {
is-fragment;
protocol icmp;
}
then {
discard;
}
}
term ICMP_ANY {
from {
protocol icmp;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

Vulnerability Number

V-217020

Documentable

False

Rule Version

JUNI-RT-000140

Severity Override Guidance

Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below.

firewall {
family inet {



}
filter DESTINED_TO_RE {



}
term BLOCK_ICMP_FRAG {
from {
is-fragment;
protocol icmp;
}
then {
discard;
}
}
term ICMP_ANY {
from {
protocol icmp;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

Check Content Reference

M

Target Key

4032

Comments