STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

DISA Rule

SV-217054r639663_rule

Vulnerability Number

V-217054

Group Title

SRG-NET-000018-RTR-000003

Rule Version

JUNI-RT-000490

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.

Configure a prefix list containing prefixes belonging to the local autonomous system.

[edit policy-options]
set prefix-list OUR_PREFIXES x.x.x.x/16

Configure a policy-statement to reject prefixes belonging to the local autonomous system. This can be done by adding a term to the existing policy to filter Bogons as shown in the example below.

[edit policy-options policy-statement FILTER_ROUTES]
set term REJECT_OUR_PREFIXES from prefix-list OUR_PREFIXES
set term REJECT_OUR_PREFIXES then reject
insert term REJECT_OUR_PREFIXES before term ACCEPT_OTHER

Note: There is no need change the BGP configuration assuming the import statement is already configured for all external neighbors.

Check Contents

Review the router configuration to verify that it will reject routes belonging to the local AS.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list OUR_PREFIXES {
x.x.x.x/16;
}

Verify that a policy has been configured to reject the local prefixes.

policy-options {



policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term REJECT_OUR_PREFIXES {
from {
prefix-list OUR_PREFIXES;
}
then reject;
}
term ACCEPT_OTHER {
then accept;
}
}
}

Verify that the configured policy to filter local prefixes has been applied to external BGP peers as shown in the example below.

protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}

If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Vulnerability Number

V-217054

Documentable

False

Rule Version

JUNI-RT-000490

Severity Override Guidance

Review the router configuration to verify that it will reject routes belonging to the local AS.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list OUR_PREFIXES {
x.x.x.x/16;
}

Verify that a policy has been configured to reject the local prefixes.

policy-options {



policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term REJECT_OUR_PREFIXES {
from {
prefix-list OUR_PREFIXES;
}
then reject;
}
term ACCEPT_OTHER {
then accept;
}
}
}

Verify that the configured policy to filter local prefixes has been applied to external BGP peers as shown in the example below.

protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}

If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Check Content Reference

M

Target Key

4032

Comments