STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirect messages disabled on all external interfaces.

DISA Rule

SV-217024r639663_rule

Vulnerability Number

V-217024

Group Title

SRG-NET-000362-RTR-000115

Rule Version

JUNI-RT-000190

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Disable ICMP redirects on all external interfaces as shown in the example below.

[edit interfaces]
set ge-1/0/0 unit 0 family inet no-redirects
set ge-1/1/0 unit 0 family inet no-redirects

Check Contents

Review the device configuration to determine if it has been configured to ensure the router does not send ICMP Redirect messages out to any external interface.

interfaces {
ge-1/0/0 {
unit 0 {
family inet {
no-redirects;
address 11.1.12.2/24;
}
}
}
ge-1/1/0 {
unit 0 {
family inet {
no-redirects;
address 11.1.23.2/24;
}
}
}

If ICMP Redirect messages are enabled on any external interfaces, this is a finding.

Vulnerability Number

V-217024

Documentable

False

Rule Version

JUNI-RT-000190

Severity Override Guidance

Review the device configuration to determine if it has been configured to ensure the router does not send ICMP Redirect messages out to any external interface.

interfaces {
ge-1/0/0 {
unit 0 {
family inet {
no-redirects;
address 11.1.12.2/24;
}
}
}
ge-1/1/0 {
unit 0 {
family inet {
no-redirects;
address 11.1.23.2/24;
}
}
}

If ICMP Redirect messages are enabled on any external interfaces, this is a finding.

Check Content Reference

M

Target Key

4032

Comments