STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

DISA Rule

SV-217022r639663_rule

Vulnerability Number

V-217022

Group Title

SRG-NET-000362-RTR-000113

Rule Version

JUNI-RT-000170

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

[edit firewall family inet]
set filter FILTER_INBOUND term DENY_BY_DEFAULT then log discard

Check Contents

Review the firewall hierarchy configuration to verify that all packets that are not permitted are silently dropped using the discard parameter as shown in the configuration example below.

firewall {
family inet {
…
…
…
}
filter FILTER_INBOUND {
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
…
…
…
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

If ICMP unreachable notifications are sent for packets that are dropped, this is a finding.

Vulnerability Number

V-217022

Documentable

False

Rule Version

JUNI-RT-000170

Severity Override Guidance

Review the firewall hierarchy configuration to verify that all packets that are not permitted are silently dropped using the discard parameter as shown in the configuration example below.

firewall {
family inet {
…
…
…
}
filter FILTER_INBOUND {
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
…
…
…
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}

If ICMP unreachable notifications are sent for packets that are dropped, this is a finding.

Check Content Reference

M

Target Key

4032

Comments