STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.

DISA Rule

SV-217057r639663_rule

Vulnerability Number

V-217057

Group Title

SRG-NET-000205-RTR-000006

Rule Version

JUNI-RT-000520

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to filter outbound route advertisements belonging to the IP core.

Configure a prefix list containing prefixes belonging to the IP core.

[edit policy-options]
set prefix-list CORE_PREFIX x.x.x.x/16

Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes.

[edit policy-options]
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject
set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept

Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below.

[edit protocols bgp group GROUP_AS4]
set export BGP_ADVERTISE_POLICY

Check Contents

Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list CORE_PREFIX {
x.x.x.x/16;
}

Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below.

policy-options {



policy-statement BGP_ADVERTISE_POLICY {
term EXCLUDE_CORE {
from {
prefix-list CORE_PREFIX;
}
then reject;
}
term INCLUDE_OTHER {
then accept;
}
}

Verify that the export statement as shown below references the advertise policy.

protocols {
bgp {
group AS4 {
type external;
export BGP_ADVERTISE_POLICY;
peer-as 4;
neighbor x.x.x.x;
}

If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

Vulnerability Number

V-217057

Documentable

False

Rule Version

JUNI-RT-000520

Severity Override Guidance

Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list CORE_PREFIX {
x.x.x.x/16;
}

Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below.

policy-options {



policy-statement BGP_ADVERTISE_POLICY {
term EXCLUDE_CORE {
from {
prefix-list CORE_PREFIX;
}
then reject;
}
term INCLUDE_OTHER {
then accept;
}
}

Verify that the export statement as shown below references the advertise policy.

protocols {
bgp {
group AS4 {
type external;
export BGP_ADVERTISE_POLICY;
peer-as 4;
neighbor x.x.x.x;
}

If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

Check Content Reference

M

Target Key

4032

Comments