STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) Juniper router for prefixes that are not allocated to that customer.

DISA Rule

SV-217055r639663_rule

Vulnerability Number

V-217055

Group Title

SRG-NET-000018-RTR-000004

Rule Version

JUNI-RT-000500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer.

Configure a prefix list containing prefixes belonging to the customers.

[edit policy-options]
set prefix-list CUST1_PREFIXES x.x.x.x/24
set prefix-list CUST1_PREFIXES x.x.x.x/24
set prefix-list CUST2_PREFIXES x.x.x.x/24
set prefix-list CUST2_PREFIXES x.x.x.x/24

Configure a policy-statement to filter customer routes.

set policy-statement FILTER_CUST1_ROUTES term ACCEPT_ROUTES from prefix-list CUST1_PREFIXES
set policy-statement FILTER_CUST1_ROUTES term then accept
set policy-statement FILTER_CUST1_ROUTES term REJECT_OTHER then reject
set policy-statement FILTER_CUST2_ROUTES term ACCEPT_ROUTES from prefix-list CUST2_PREFIXES
set policy-statement FILTER_CUST2_ROUTES term then accept
set policy-statement FILTER_CUST2_ROUTES term REJECT_OTHER then reject

Apply the import policy to filter received routes for each customer group.

[edit protocols bgp group CUST1]
set import FILTER_CUST1_ROUTES
[edit protocols bgp group CUST2]
set import FILTER_CUST2_ROUTES

Check Contents

Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers.

Verify prefix list has been configured containing prefixes belonging to each customer as shown in the example below.

policy-options {



prefix-list CUST1_PREFIXES {
x.x.x.x/24;
x.x.x.x/24;
}
prefix-list CUST2_PREFIXES {
x.x.x.x/24;
}

Verify that a policy has been configured to only accept routes belonging to the customer.

policy-options {



policy-statement FILTER_CUST1_ROUTES {
term ACCEPT-ROUTES {
from {
prefix-list CUST1_PREFIXES;
}
then accept;
}
term REJECT_OTHER {
then reject;
}
}
policy-statement FILTER_CUST2_ROUTES {
term ACCEPT_ROUTES {
from {
prefix-list CUST2_PREFIXES;
}
then accept;
}
term REJECT_OTHER {
then reject;
}
}
}

Verify that the configured policy to filter customer prefixes has been applied to customer BGP peers as shown in the example below.

protocols {
bgp {



}
group CUST1 {
type external;
import FILTER_CUST1_ROUTES;
peer-as 55;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
group CUST2 {
type external;
import FILTER_CUST2_ROUTES;
peer-as 44;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
}



}

Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement.

If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

Vulnerability Number

V-217055

Documentable

False

Rule Version

JUNI-RT-000500

Severity Override Guidance

Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers.

Verify prefix list has been configured containing prefixes belonging to each customer as shown in the example below.

policy-options {



prefix-list CUST1_PREFIXES {
x.x.x.x/24;
x.x.x.x/24;
}
prefix-list CUST2_PREFIXES {
x.x.x.x/24;
}

Verify that a policy has been configured to only accept routes belonging to the customer.

policy-options {



policy-statement FILTER_CUST1_ROUTES {
term ACCEPT-ROUTES {
from {
prefix-list CUST1_PREFIXES;
}
then accept;
}
term REJECT_OTHER {
then reject;
}
}
policy-statement FILTER_CUST2_ROUTES {
term ACCEPT_ROUTES {
from {
prefix-list CUST2_PREFIXES;
}
then accept;
}
term REJECT_OTHER {
then reject;
}
}
}

Verify that the configured policy to filter customer prefixes has been applied to customer BGP peers as shown in the example below.

protocols {
bgp {



}
group CUST1 {
type external;
import FILTER_CUST1_ROUTES;
peer-as 55;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
group CUST2 {
type external;
import FILTER_CUST2_ROUTES;
peer-as 44;
neighbor x.x.x.x;
neighbor x.x.x.x;
}
}



}

Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement.

If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

Check Content Reference

M

Target Key

4032

Comments