STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.

DISA Rule

SV-217042r639663_rule

Vulnerability Number

V-217042

Group Title

SRG-NET-000364-RTR-000112

Rule Version

JUNI-RT-000370

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Disable Proxy ARP on all external interfaces as shown in the example below.

[edit interfaces em0 unit 0]
delete proxy-arp restricted

Check Contents

Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces.

interfaces {
description "NIPRNet";
ge-0/0/0 {
unit 0 {
proxy-arp restricted;
family inet {

If IP Proxy ARP is enabled on any external interface, this is a finding.

Vulnerability Number

V-217042

Documentable

False

Rule Version

JUNI-RT-000370

Severity Override Guidance

Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces.

interfaces {
description "NIPRNet";
ge-0/0/0 {
unit 0 {
proxy-arp restricted;
family inet {

If IP Proxy ARP is enabled on any external interface, this is a finding.

Check Content Reference

M

Target Key

4032

Comments