STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

DISA Rule

SV-217076r639663_rule

Vulnerability Number

V-217076

Group Title

SRG-NET-000205-RTR-000007

Rule Version

JUNI-RT-000710

Severity

CAT I

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Configure an ingress filter to discard and log packets destined to the IP core address space.

[edit firewall family inet]
set filter INGRESS_FILTER term BLOCK_TO_CORE from destination-address x.x.x.x/8
set filter INGRESS_FILTER term BLOCK_TO_CORE then log discard
set filter INGRESS_FILTER term ALLOW_TRANSIT_TRAFFIC then accept

Apply the filter inbound to all CE-facing interfaces.

[edit interfaces ge-0/1/0 unit 0]
set family inet filter input INGRESS_FILTER

Check Contents

Review the router configuration to verify that an ingress filter is applied to all CE-facing interfaces.

interfaces {
ge-0/1/0 {
description "link to Customer 2";
unit 0 {
family inet {
filter {
input INGRESS_FILTER;
}
address x.x.x.x/30;
}
}
}

Verify that the ingress filter discards and logs packets destined to the IP core address space.

firewall {
family inet {
filter INGRESS_FILTER {
term BLOCK_TO_CORE {
from {
destination-address {
x.x.x.x/8;
}
}
then {
log;
discard;
}
}
term ALLOW_TRANSIT_TRAFFIC {
then accept;
}
}
}

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Vulnerability Number

V-217076

Documentable

False

Rule Version

JUNI-RT-000710

Severity Override Guidance

Review the router configuration to verify that an ingress filter is applied to all CE-facing interfaces.

interfaces {
ge-0/1/0 {
description "link to Customer 2";
unit 0 {
family inet {
filter {
input INGRESS_FILTER;
}
address x.x.x.x/30;
}
}
}

Verify that the ingress filter discards and logs packets destined to the IP core address space.

firewall {
family inet {
filter INGRESS_FILTER {
term BLOCK_TO_CORE {
from {
destination-address {
x.x.x.x/8;
}
}
then {
log;
discard;
}
}
term ALLOW_TRANSIT_TRAFFIC {
then accept;
}
}
}

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Check Content Reference

M

Target Key

4032

Comments