Infrastructure Router Security Technical Implementation Guide Juniper
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates −1 ✎ 9
Comparison against the immediately-prior release (V8R20). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Removed rules 1
- V-30585 Low The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.
Content changes 9
- V-14667 Low description Network devices must be configured with rotating keys used for authenticating IGP peers that have a duration of 180 days or less.
- V-14671 Medium descriptioncheckfix The network element must authenticate all NTP messages received from NTP servers and peers.
- V-17817 Medium description Traffic from the managed network is able to access the OOBM gateway router
- V-28784 Medium checkfix A service or feature that calls home to the vendor must be disabled.
- V-3057 Medium descriptioncheck Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.
- V-3069 Medium descriptioncheck Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules.
- V-3085 Medium descriptioncheck The network element must have HTTP service for administrative access disabled.
- V-3966 Medium descriptioncheck In the event the authentication server is unavailable, the network device must have a single local account of last resort defined.
- V-5611 Medium description The network element must only allow management connections for administrative access from hosts residing in to the management network.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1020
- Vuln IDs
-
- V-3000
- Rule IDs
-
- SV-15475r3_rule
Checks: C-12941r3_chk
Review the network device interface ACLs to verify all deny statements are logged. Either the syslog or log action command will satisfy this requirement. JUNOS Example: [edit firewall] family inet { filter NIPRNet-ingress { term first-accept { from { } then accept; } term last-accept { from { destination-address { 131.77.5.32/32; 131.77.5.61/32; } protocol tcp; destination-port http; } then accept; } term default-action { then { syslog; discard; } } } }
Fix: F-3025r4_fix
Configure interface ACLs to log all deny statements.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1800
- Vuln IDs
-
- V-3008
- Rule IDs
-
- SV-3008r1_rule
Checks: C-3837r1_chk
Have the SA display the configuration settings that enable this feature. Review the network topology diagram, and review VPN concentrators. Determine if tunnel mode is being used by reviewing the configuration. Examples: In CISCO Router(config)# crypto ipsec transform-set transform-set-name transform1 Router(cfg-crypto-tran)# mode tunnel OR in Junos edit security ipsec security-association sa-name] mode tunnel
Fix: F-3033r1_fix
Establish the VPN as a tunneled VPN. Terminate the tunneled VPN outside of the firewall. Ensure all host-to-host VPN are established between trusted known hosts.
- RMF Control
- Severity
- H
- CCI
- Version
- NET0230
- Vuln IDs
-
- V-3012
- Rule IDs
-
- SV-3012r4_rule
Checks: C-3456r6_chk
Review the network devices configuration to determine if administrative access to the device requires some form of authentication--at a minimum a password is required. If passwords aren't used to administrative access to the device, this is a finding.
Fix: F-3037r6_fix
Configure the network devices so it will require a password to gain administrative access to the device.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0340
- Vuln IDs
-
- V-3013
- Rule IDs
-
- SV-3013r4_rule
Checks: C-3474r10_chk
Review the device configuration or request that the administrator logon to the device and observe the terminal. Verify either Option A or Option B (for systems with character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at logon. The required banner verbiage follows and must be displayed verbatim: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't." If the device configuration does not have a logon banner as stated above, this is a finding.
Fix: F-3038r8_fix
Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: Option A You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Option B If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: "I've read & consent to terms in IS user agreem't."
- RMF Control
- Severity
- M
- CCI
- Version
- NET1639
- Vuln IDs
-
- V-3014
- Rule IDs
-
- SV-15454r2_rule
Checks: C-12919r3_chk
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example: [edit system login] class superuser-local { idle-timeout 10; permissions all; } Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class. When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems: 1) The root account now be accessed using in-band management 2) Since the root account does not belong to a login class, there is no way to set the idle timeout. Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;
Fix: F-3039r5_fix
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0820
- Vuln IDs
-
- V-3020
- Rule IDs
-
- SV-15331r2_rule
Checks: C-12797r2_chk
Review the active configuration to ensure that DNS servers have been defined similar to the following example: [edit system] name server { 192.168.1.253; 192.168.1.254; } Note: Since JUNOS will not send a DNS query to resolve names to IP addresses if a name server is not defined, this will never be a finding.
Fix: F-3045r2_fix
Configure the device to include DNS servers or disable domain lookup.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0890
- Vuln IDs
-
- V-3021
- Rule IDs
-
- SV-15333r2_rule
Checks: C-12799r3_chk
Review device configuration and verify that it is configured to only allow SNMP access from only addresses belonging to the management network as shown in the following example: snmp { interface ge-0/1/0.0; community xxxxxxxxx { authorization read-only; clients { default restrict; 7.7.7.5/32; } } } Note: if the clients statement is not present, then all clients are allowed.
Fix: F-3046r4_fix
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0400
- Vuln IDs
-
- V-3034
- Rule IDs
-
- SV-15291r2_rule
Checks: C-3489r4_chk
Review the device configuration to determine if authentication is configured for all IGP peers. If authentication is not configured for all IGP peers, this is a finding.
Fix: F-3059r3_fix
Configure authentication for all IGP peers.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1675
- Vuln IDs
-
- V-3043
- Rule IDs
-
- SV-3043r4_rule
Checks: C-3825r7_chk
Review the SNMP configuration of all managed nodes to ensure different community names (V1/2) or groups/users (V3) are configured for read-only and read-write access. If unique community strings or accounts are not used for SNMP peers, this is a finding.
Fix: F-3068r4_fix
Configure the SNMP community strings on the network device and change them from the default values. SNMP community strings and user passwords must be unique and not match any other network device passwords. Different community strings (V1/2) or groups (V3) must be configured for various levels of read and write access.
- RMF Control
- Severity
- H
- CCI
- Version
- NET0460
- Vuln IDs
-
- V-3056
- Rule IDs
-
- SV-3056r7_rule
Checks: C-3503r11_chk
Review the network device configuration and validate there are no group accounts configured for access. If a group account is configured on the device, this is a finding.
Fix: F-3081r9_fix
Configure individual user accounts for each authorized person then remove any group accounts.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0465
- Vuln IDs
-
- V-3057
- Rule IDs
-
- SV-15472r4_rule
Checks: C-12938r5_chk
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding. Below is an example configuration with three levels of authorization followed by account templates. [edit system login] class tier1 { idle-timeout 15; permissions [configure interface network routing snmp system trace view firewall ]; } class tier2 { idle-timeout 15; permissions [admin clear configure interface network reset routing routing-control snmp snmp-control system system-control trace trace-control view maintenance firewall firewall-control secret rollback ]; } class tier3 { idle-timeout 15; permissions all; } /* This is our local superuser account with a local password. */ user admin { full-name Administrator; uid 2000; class tier3; authentication { encrypted-password xxxxxxx; } } /* TACACS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } user tier3 { uid 2003; class tier3; } Using the example JUNOS configuration above and TACACS configuration below, when a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. The CLI username is sent to the authentication server with the correct password. The server returns the local username (i.e., “tier2”) to the JUNOS software as specified in the authentication server (local-user-name for TACACS+, Juniper-Local-User for RADIUS). user = simon { . . . . service = junos-exec { local-user-name = tier2 allow-commands = "configure" deny-commands = "shutdown" } } 'allow-commands' and 'deny-commands' override permissions of the class of the template that the local-user-name is associated with.
Fix: F-3082r5_fix
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0470
- Vuln IDs
-
- V-3058
- Rule IDs
-
- SV-3058r5_rule
Checks: C-3505r5_chk
Review the organization's responsibilities list and reconcile the list of authorized accounts with those accounts defined for access to the network device. If an unauthorized account is configured for access to the device, this is a finding.
Fix: F-3083r5_fix
Remove any account configured for access to the network device that is not defined in the organization's responsibilities list.
- RMF Control
- Severity
- H
- CCI
- Version
- NET0600
- Vuln IDs
-
- V-3062
- Rule IDs
-
- SV-41451r2_rule
Checks: C-39962r3_chk
For JUNOS, all passwords are always shown as encrypted. Hence, this would never be a finding.
Fix: F-40533r1_fix
For JUNOS, all passwords are always shown as encrypted. Hence, this would never be a finding.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1638
- Vuln IDs
-
- V-3069
- Rule IDs
-
- SV-15452r4_rule
Checks: C-12917r6_chk
Review the network device configuration to verify only secure protocols using FIPS 140-2 validated cryptographic modules are used for any administrative access. Some of the secure protocols used for administrative and management access are listed below. This list is not all inclusive and represents a sample selection of secure protocols. -SSHv2 -SCP -HTTPS -SSL -TLS JUNOS Example: [edit system services] ssh { root-login (allow | deny | deny-password); protocol-version [ v2 ]; macs [hmac-sha1 hmac-sha1-96]; ciphers [aes128-cbc aes192-cbc aes256-cbc]; } [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } … [edit firewall] family inet { filter protect-routing-engine { term terminal-access { from { source-address { 192.168.1.10; 192.168.1.11; } protocol tcp; port ssh; } then { syslog; accept; } } … term default-action { then { syslog; discard; } } } } If management connections are established using protocols without FIPS 140-2 validated cryptographic modules, this is a finding.
Fix: F-3094r5_fix
Configure the network device to use secure protocols with FIPS 140-2 validated cryptographic modules.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1640
- Vuln IDs
-
- V-3070
- Rule IDs
-
- SV-15456r2_rule
Checks: C-12921r3_chk
Review the router configurations and verify that all ssh connection attempts are logged. The configuration should look similar to the following: [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term terminal-access { from { source-address { 192.168.1.10; 192.168.1.11; } protocol tcp; port [ssh]; } then { syslog; accept; } } term default-action { then { syslog; discard; } } } }
Fix: F-3095r3_fix
Configure the device to log all access attempts to the device to establish a management connection for administrative access.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0730
- Vuln IDs
-
- V-3079
- Rule IDs
-
- SV-15306r2_rule
Checks: C-12702r2_chk
Under the edit system services hierarchy, enter a show command to verify that the finger command is not present.
Fix: F-3104r4_fix
Configure the device to disable the Finger service.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0770
- Vuln IDs
-
- V-3081
- Rule IDs
-
- SV-15317r2_rule
Checks: C-12783r2_chk
Under the edit chassis hierarchy, enter a show command to verify that the no-source-route command is present.
Fix: F-3106r2_fix
Configure the router to disable IP source routing.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0740
- Vuln IDs
-
- V-3085
- Rule IDs
-
- SV-41468r2_rule
Checks: C-39968r2_chk
Under the edit system services hierarchy enter a show command to verify the web-management http command is not present (the web-management https command may be enabled for administrative access). If you are reviewing an entire configuration, verify the web-management http command is not present as shown in the example below: system { services { web-management { http { interface ge-0/0/0.0; } } } } If the HTTP server is enabled, this is a finding.
Fix: F-3110r4_fix
Configure the device to disable using HTTP (port 80) for administrative access.
- RMF Control
- Severity
- H
- CCI
- Version
- NET0240
- Vuln IDs
-
- V-3143
- Rule IDs
-
- SV-3143r4_rule
Checks: C-40236r3_chk
Review the network devices configuration to determine if the vendor default password is active. If any vendor default passwords are used on the device, this is a finding.
Fix: F-35391r3_fix
Remove any vendor default passwords from the network devices configuration.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0700
- Vuln IDs
-
- V-3160
- Rule IDs
-
- SV-15303r2_rule
Checks: C-12698r2_chk
In operational mode, have the router administrator execute the show version brief command to verify the installed JUNOS version. This command will show the base OS as well as the kernel, packet forwarding engine, routing, and crypto. Validate that all software components are at the required level. J, M and T series should be 10.0 or later. E series should be 10.2 or later Verify that all IAVMs have been addressed.
Fix: F-3185r4_fix
Update operating system to a supported version that addresses all related IAVMs.
- RMF Control
- Severity
- H
- CCI
- Version
- NET1636
- Vuln IDs
-
- V-3175
- Rule IDs
-
- SV-28748r3_rule
Checks: C-29085r4_chk
Review the network device configuration to verify all management connections for administrative access require authentication. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;
Fix: F-3200r3_fix
Configure authentication for all management connections.
- RMF Control
- Severity
- H
- CCI
- Version
- NET1660
- Vuln IDs
-
- V-3196
- Rule IDs
-
- SV-3196r4_rule
Checks: C-3820r6_chk
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. Downgrades: If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model. If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.
Fix: F-3221r5_fix
If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).
- RMF Control
- Severity
- H
- CCI
- Version
- NET1665
- Vuln IDs
-
- V-3210
- Rule IDs
-
- SV-3210r4_rule
Checks: C-3822r7_chk
Review the network devices configuration and verify if either of the SNMP community strings "public" or "private" is being used. If default or well-known community strings are used for SNMP, this is a finding.
Fix: F-3235r4_fix
Configure unique SNMP community strings replacing the default community strings.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0440
- Vuln IDs
-
- V-3966
- Rule IDs
-
- SV-30085r5_rule
Checks: C-12936r5_chk
Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be only one local account of last resort configured locally for an emergency. Example: [edit system] class tier3 { idle-timeout 15; permissions all; } user admin { full-name Administrator; uid 2000; class tier3; authentication { encrypted-password xxxxxxxxxxx; } } Verify the username and password for the local account of last resort is contained within a sealed envelope kept in a safe. If an authentication server is used and more than one local account exists, this is a finding.
Fix: F-3899r9_fix
Configure the device to only allow one local account of last resort for emergency access and store the credentials in a secure manner.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1624
- Vuln IDs
-
- V-3967
- Rule IDs
-
- SV-15445r2_rule
Checks: C-12910r2_chk
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example: [edit system login] class superuser-local { idle-timeout 10; permissions all; } Notes: 1. There is no default idle-timeout. Without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class. 2. Since the root account does not belong to a class and you can access root via console, disable the ability to login using the root account by making the console insecure as follows: [edit system] console { insecure; }
Fix: F-3900r4_fix
Configure the timeout for idle console connection to 10 minutes or less.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0894
- Vuln IDs
-
- V-3969
- Rule IDs
-
- SV-30087r3_rule
Checks: C-12801r6_chk
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a finding. The SNMP V1 configuration should look similar to the following: snmp { interface ge-0/1/0.0; community xxxxxxxxx { authorization read-only; clients { default restrict; 7.7.7.5/30; } } SNMPv3 access sets the SNMP access levels by context, group, and user. The context-name statement determines what management information is accessible by an SNMP entity. An SNMP entity can have access to many access contexts and therefore requires a name to identify each context. You must also associate a context with a specific access group and configure read and write views associated with each group. Specify the group-name variable to identify a collection of SNMP users that share the same access policy, in which object identifiers (OIDs) are read-accessible or write-accessible. Each group is the collection of users associated with the security model. You can only specify the model usm. The example below as a “router context” which is accessed by two groups: NOC and engineers. NOC is only allowed read access while engineers have read and write access. John and Sue are users that belong to the engineers group and have authentication configured. snmp { view all { oid .1.3.6.1 include; } engine-id { local "isp-routers-0001"; } access { user john { authentication-type md5; authentication-password "john-auth-password"; privacy-type des; privacy-password "john-privacy-password"; } user sue { authentication-type md5; authentication-password "sue-auth-password"; privacy-type des; privacy-password "sue-privacy-password"; } user hpov { authentication-type md5; authentication-password "hpov-auth-password"; privacy-type des; privacy-password "hpov-privacy-password"; } group engineers { model usm; user [john sue]; } group noc { model usm; user hpov; } context router { description “a router context”; group noc { model usm; security-level privacy; read-view all; } group engineers { model usm; security-level privacy; read-view all; write-view all; } } }
Fix: F-3902r7_fix
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.
- RMF Control
- Severity
- H
- CCI
- Version
- NET1623
- Vuln IDs
-
- V-4582
- Rule IDs
-
- SV-28747r3_rule
Checks: C-29084r3_chk
Review the network device's configuration and verify authentication is required for console access. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows: [edit system] console { insecure; }
Fix: F-4515r4_fix
Configure authentication for console access on the network device.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0580
- Vuln IDs
-
- V-4583
- Rule IDs
-
- SV-4583r1_rule
Checks: C-3506r1_chk
IOS Procedure: N/A A Cisco router does not have a diagnostics port. JUNOS Procedure: Review the router configuration to ensure a password is required when gaining access to the diagnostics port similar to the following: [edit system] diag-port-authentication { encrypted-password "xxxxxxxxxxxxx"; # SECRET-DATA }
Fix: F-4516r1_fix
The router administrator will ensure that a password is required to access the routers diagnostic port.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1021
- Vuln IDs
-
- V-4584
- Rule IDs
-
- SV-15477r2_rule
Checks: C-12943r2_chk
Review the network element’s configuration to ensure that all messages up to and including severity level 6 (informational) are logged and sent to a syslog server as shown in the following example: [edit system syslog] syslog { host 192.168.1.22 { any info; facility-override local7; } } The table below lists the severity levels and message types for all log data. Severity Level Message Type 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warning 5 Notifications 6 Informational 7 Debugging
Fix: F-4517r6_fix
Configure the network device to log all messages except debugging and send all log data to a syslog server.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1637
- Vuln IDs
-
- V-5611
- Rule IDs
-
- SV-15450r3_rule
Checks: C-12915r3_chk
Review the router configuration and verify that only authorized internal connections are allowed access to the routing engine via ssh. Access to the Juniper routing engine is via loopback interface. The configuration should look similar to the following: [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term terminal-access { from { source-address { 192.168.1.10; 192.168.1.11; } protocol tcp; port ssh; } then { syslog; accept; } } term default-action { then { log; discard; } } } }
Fix: F-5522r4_fix
Configure an ACL or filter to restrict management access to the device from only the management network.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1645
- Vuln IDs
-
- V-5612
- Rule IDs
-
- SV-28744r2_rule
Checks: C-29028r3_chk
Review the configuration and verify the timeout is set for 60 seconds or less. The SSH service terminates the connection if protocol negotiation (that includes user authentication) is not complete within this timeout period. system { login { retry-options { tries-before-disconnect 3; maximum-time 60; }
Fix: F-5523r5_fix
Configure the network devices so it will require a secure shell timeout of 60 seconds or less.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1646
- Vuln IDs
-
- V-5613
- Rule IDs
-
- SV-28745r2_rule
Checks: C-29030r3_chk
Review the configuration and verify the number of unsuccessful SSH login attempts is set at 3. system { login { retry-options { tries-before-disconnect 3; maximum-time 60; }
Fix: F-5524r9_fix
Configure the network device to require a maximum number of unsuccessful SSH logon attempts at 3.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0965
- Vuln IDs
-
- V-5646
- Rule IDs
-
- SV-15437r4_rule
Checks: C-12902r7_chk
Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. JUNOS Configuration Example: firewall { policer TCP-SYN-Policer { if-exceeding { bandwidth-limit 500k; burst-size-limit 15k; } then discard; } family inet { filter DOS-Protect { . . . /* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */ term tcp-syn-fin-limit { from { protocol tcp; port [bgp ldp snmp snmptrap telnet ftp ftp-data ssh]; tcp-flags “syn | fin | rst”; } then policer TCP-SYN-Policer; } . . }
Fix: F-5557r6_fix
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1629
- Vuln IDs
-
- V-7011
- Rule IDs
-
- SV-15447r2_rule
Checks: C-12912r2_chk
Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it.If the following configuration statements are found than a secure modem should be in place. [edit system] ports { auxiliary { type vt100; } }
Fix: F-6614r3_fix
Disable the auxiliary port. If used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0422
- Vuln IDs
-
- V-14667
- Rule IDs
-
- SV-15301r4_rule
Checks: C-12696r5_chk
Review device configuration for key expirations of 180 days or less. If rotating keys are not configured to expire at 180 days or less, this is a finding.
Fix: F-14125r4_fix
Configure the device so rotating keys expire at 180 days or less.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0742
- Vuln IDs
-
- V-14668
- Rule IDs
-
- SV-15312r1_rule
Checks: C-12776r3_chk
Review the device configuration to determine if the device has been setup to be an FTP server. If the device has been configured to be an FTP server, this is a finding.
Fix: F-14129r2_fix
Disable FTP server services on the device.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0744
- Vuln IDs
-
- V-14669
- Rule IDs
-
- SV-15315r2_rule
Checks: C-12781r2_chk
Under the edit system services hierarchy, enter a show command to verify that the rlogin command is not present.
Fix: F-14130r4_fix
Configure the device to disable BSDr command services.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0802
- Vuln IDs
-
- V-14670
- Rule IDs
-
- SV-15322r1_rule
Checks: C-12786r1_chk
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces.
Fix: F-14131r1_fix
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0813
- Vuln IDs
-
- V-14671
- Rule IDs
-
- SV-41501r3_rule
Checks: C-13750r4_chk
Review the network element configuration and verify that it is authenticating NTP messages received from the NTP server or peer using a FIPS-approved message authentication code algorithm. FIPS-approved algorithms for authentication are the cipher-based message authentication code (CMAC) and the keyed-hash message authentication code (HMAC). AES and 3DES are NIST-approved CMAC algorithms. The following are NIST-approved HMAC algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Downgrade: If the network device is not capable of authenticating the NTP server or peer using a FIPS-approved message authentication code algorithm, then MD5 can be utilized for NTP message authentication and the finding can be downgraded to a CAT III. If the network element is not configured to authenticate received NTP messages using a FIPS-approved message authentication code algorithm, this is a finding. A downgrade can be determined based on the criteria above.
Fix: F-14132r4_fix
Configure the device to authenticate all received NTP messages using a FIPS-approved message authentication code algorithm.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0897
- Vuln IDs
-
- V-14672
- Rule IDs
-
- SV-16092r2_rule
Checks: C-13849r3_chk
Review the configuration and verify the loopback interface address is used as the source address when originating TACACS+ or RADIUS traffic. If the device is managed from an OOB management network, the OOB interface must be used instead. Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on JUNOS routers; however, multiple addresses can be defined. Step 2: Verify that TACACS+ and RADIUS are configured to use the loopback address by comparing the source address defined for tacplus-server and radius-server with the address configured for the loopback interface. You should find a configuration similar to the examples below: TACACS+ system { tacplus-server { 10.10.2.11; source-address 10.10.2.1; } } RADIUS system { radius-server { 10.10.2.21; source-address 10.10.2.1; } } Note: If source-address is not specified, then the default-address-selection under system hierarchy must be configured. Configuring system default-address-selection will enable the router to use the loopback interface as the source address for most locally generated IP packets. This configuration would appear as follows: system { default-address-selection; … } }
Fix: F-14134r5_fix
Configure the device to use its loopback or OOB management interface address as the source address when originating authentication services traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0898
- Vuln IDs
-
- V-14673
- Rule IDs
-
- SV-15341r2_rule
Checks: C-12807r2_chk
Review the configuration and verify the loopback interface address is used as the source address when originating syslog traffic. If the device is managed from an OOB management network, the OOB interface must be used instead Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following. interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: Verify that syslog is configured to use the loopback address by comparing the source address defined for syslog with the address configured for the loopback interface. You should find a configuration similar to the examples below: system { syslog { host 192.168.1.100 { any info; } source-address 192.168.1.1; } } Note: If source-address is not specified, then the default-address-selection under system hierarchy must be configured. Configuring system default-address-selection will enable the router to use the loopback interface as the source address for most locally generated IP packets. This configuration would appear as follows: system { default-address-selection; … } }
Fix: F-14135r4_fix
Configure the device to use its loopback or OOB management interface address as the source address when originating syslog traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0899
- Vuln IDs
-
- V-14674
- Rule IDs
-
- SV-15344r2_rule
Checks: C-12810r2_chk
Review the configuration and verify the loopback interface address is used as the source address when originating NTP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following. interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: Verify that NTP is configured to use the loopback address by comparing the source address defined for NTP with the address configured for the loopback interface. You should find a configuration similar to the examples below: system { ntp { server 10.10.2.21; source-address 10.10.2.1; } } Note: If source-address is not specified, then the default-address-selection under system hierarchy must be configured. Configuring system default-address-selection will enable the router to use the loopback interface as the source address for most locally generated IP packets. This configuration would appear as follows: system { default-address-selection; … } }
Fix: F-14136r4_fix
Configure the device to use its loopback or OOB management interface address as the source address when originating NTP traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0900
- Vuln IDs
-
- V-14675
- Rule IDs
-
- SV-15347r2_rule
Checks: C-12813r3_chk
Review the configuration and verify the loopback interface address is used as the source address when originating SNMP traffic. If the device is managed from an OOB management network, the OOB interface must be used instead Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following. interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: Verify that SNMP is configured to use the loopback address by comparing the source address defined for SNMP with the address configured for the loopback interface. You should find a configuration similar to the examples below: snmp { clients { default restrict; 10.10.2.111/32; } trap-options { source-address 10.10.2.1; } } Note: If source-address is not specified, then the default-address-selection under system hierarchy must be configured. Configuring system default-address-selection will enable the router to use the loopback interface as the source address for most locally generated IP packets. This configuration would appear as follows: system { default-address-selection; … } }
Fix: F-14137r4_fix
Configure the device to use its loopback or OOB management interface address as the source address when originating SNMP traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0901
- Vuln IDs
-
- V-14676
- Rule IDs
-
- SV-15350r2_rule
Checks: C-12816r2_chk
Review the configuration and verify the loopback interface address is used as the source address when originating Netflow traffic. If the device is managed from an OOB management network, the OOB interface must be used instead Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following. interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: Juniper has adopted the Cisco PDU format for flow export; However, Juniper does not call it NetFlow but "cflowd" and uses the flow export concept as a means to export packet-sampling data. Juniper has a filtering mechanism which allows you to sample packets and log them to the local file system or they can be exported using the "cflowd" forwarding options. You should find a configuration similar to the example below depicting the source address for cflowd: forwarding-options { sampling { input { family inet { rate 100; run-length 4; max-packets-per-second 5000; } } output { cflowd 10.10.2.22 { port 9991; source-address 10.10.2.1; } } } Note: If source-address is not specified, then the default-address-selection under system hierarchy must be configured. Configuring system default-address-selection will enable the router to use the loopback interface as the source address for most locally generated IP packets. This configuration would appear as follows: system { default-address-selection; … } }
Fix: F-14138r2_fix
Configure the router to use its loopback or OOB management interface address as the source address when originating NetFlow traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0902
- Vuln IDs
-
- V-14677
- Rule IDs
-
- SV-15353r3_rule
Checks: C-12820r4_chk
Review the configuration and verify a loopback interface address is used as the source address when originating TFTP or FTP traffic. Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { address x.x.x.x/32; } } } Step 2: There is no method to override the source address default for TFTP and FTP. Hence, the router must be configured to use the loopback as the default source address for all locally generated traffic. This is accomplished by configuring the default-address-selection statement as shown in the following example: system { default-address-selection; … } } If the device is managed from an OOB management network, the OOB interface must be used instead. Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined.
Fix: F-40481r1_fix
Configure the network device to use a loopback or OOB management interface address as the source address when originating TFTP or FTP traffic.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0903
- Vuln IDs
-
- V-14681
- Rule IDs
-
- SV-15360r2_rule
Checks: C-12827r2_chk
Review the configuration and verify the loopback interface address is used as the source address for all iBGP peering. Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: The vulnerability does not require eBGP peering to use the loopback address. Hence, the BGP router only requires that the loopback address is used to peer with its iBGP neighbors. You should find a configuration similar to the example below: protocols { bgp { group iBGP_111 { type internal; local-address 10.10.2.1; export next-hop-self; peer-as 111; neighbor 10.10.2.2; } } }
Fix: F-14148r3_fix
Configure the network device's loopback address as the source address for iBGP peering.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-IPV6-025
- Vuln IDs
-
- V-14693
- Rule IDs
-
- SV-15397r2_rule
Checks: C-12864r2_chk
Review the device configuration to ensure FEC0::/10 IP addresses are not defined. If FEC0::/10 IP addresses are defined, this is a finding.
Fix: F-14158r1_fix
Configure the device using authorized IP addresses.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-IPV6-034
- Vuln IDs
-
- V-14707
- Rule IDs
-
- SV-15430r1_rule
Checks: C-12894r1_chk
Unicast Strict mode: Review the router configuration to ensure uRPF has been configured on all internal interfaces.
Fix: F-14172r1_fix
The network element must be configured to ensure that an ACL is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1647
- Vuln IDs
-
- V-14717
- Rule IDs
-
- SV-15461r2_rule
Checks: C-12926r2_chk
If SSH is used for administrative access, then Version 2 must be configured as shown in the following example: system { services { ssh { protocol-version v2; } } }
Fix: F-14184r5_fix
Configure the network device to use SSH version 2.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-TUNL-017
- Vuln IDs
-
- V-15288
- Rule IDs
-
- SV-16067r2_rule
Checks: C-13686r5_chk
Verify ISATAP tunnels are terminated on the infrastructure routers or L3 switches within the enclave.
Fix: F-14730r6_fix
Terminate ISATAP tunnels at the infrastructure router to prohibit tunneled traffic from exiting the enclave perimeter prior to inspection by the IDS, IPS, or firewall.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0433
- Vuln IDs
-
- V-15432
- Rule IDs
-
- SV-16259r4_rule
Checks: C-14439r6_chk
Verify an authentication server is required to access the device and that there are two or more authentication servers defined. If the device is not configured for two separate authentication servers, this is a finding.
Fix: F-15096r3_fix
Configure the device to use two separate authentication servers.
- RMF Control
- Severity
- H
- CCI
- Version
- NET0441
- Vuln IDs
-
- V-15434
- Rule IDs
-
- SV-16261r5_rule
Checks: C-14441r6_chk
Review the emergency administration account configured on the network devices and verify that it has been assigned to a privilege level that will enable the administrator to perform necessary administrative functions when the authentication server is not online. If the emergency administration account is configured for more access than needed to troubleshoot issues, this is a finding.
Fix: F-15098r7_fix
Assign a privilege level to the emergency administration account to allow the administrator to perform necessary administrative functions when the authentication server is not online.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1807
- Vuln IDs
-
- V-17754
- Rule IDs
-
- SV-18945r2_rule
Checks: C-19015r3_chk
Review the device configuration to determine if IPSec tunnels used in transiting management traffic are filtered to only accept authorized traffic based on source and destination IP addresses of the management network. If filters are not restricting only authorized management traffic into the IPSec tunnel, this is a finding.
Fix: F-17652r2_fix
Configure filters based on source and destination IP address to restrict only authorized management traffic into IPSec tunnels used for transiting management data.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1808
- Vuln IDs
-
- V-17814
- Rule IDs
-
- SV-19063r1_rule
Checks: C-19020r1_chk
Verify the configuration at the remote VPN end-point is a mirror configuration as that reviewed for the local end-point.
Fix: F-17724r1_fix
Configure he crypto access-list used to identify the traffic to be protected so that it is a mirror (both IP source and destination address) of the crypto access list configured at the remote VPN peer.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0985
- Vuln IDs
-
- V-17815
- Rule IDs
-
- SV-19298r1_rule
Checks: C-20143r1_chk
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where RIP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } fe-0/0/2 { description “Enclave Management LAN” unit 0 { family inet { address 10.1.1.1/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { address 10.1.20.3/24; } } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; interface lo0.0; } } rip { group rip-neighbor { neighbor t3-3/0/3.0; export rip-advertisements; } } } policy-options { policy-statement rip-advertisements { from protocol rip; then accept; } } policy-statement direct-management-LAN { from { protocol direct; interface [ lo0.0 t3-3/0/3.0 fe-0/0/2 ]; } then accept; } } Note: When you enable RIP, the default JUNOS behavior is to accept all learned RIP routes but export no routes to RIP neighbors. To have RIP send routing information to its neighbors, you need to configure a routing policy that has RIP export routes to its neighbors. In the example above, the OOBM gateway router will only have a RIP neighbor adjacency with its upstream OOB backbone router. However, it will advertise to the RIP domain the local management address prefix and the loopback address which also belongs to the management network.
Fix: F-17730r1_fix
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0986
- Vuln IDs
-
- V-17816
- Rule IDs
-
- SV-19300r1_rule
Checks: C-20201r1_chk
Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa. There is no equivalent redistribute command in JUNOS. All redistribution of routes between protocols is done through the creation of a routing policy through the use of import and export statements. Verify that there are no export and policy-statement commands configured that would distribute routes from the IGP routing domain for the management network into the IGP routing domain of the managed network, or vice-versa. The following example illustrates how RIP routes would be redistributing into OSPF. policy-options { policy-statement rip-to-ospf { from protocol rip; then accept; } } } protocols { ospf { export rip-to-ospf; area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; } } As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well. If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { address 10.1.20.3/24; } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; interface lo0.0; } } routing-options { static { route 10.1.1.0/24 { next-hop 10.1.20.4; } } }
Fix: F-17731r1_fix
Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0987
- Vuln IDs
-
- V-17817
- Rule IDs
-
- SV-19302r2_rule
Checks: C-20203r1_chk
Review the ACL or filters for the router’s receive path and verify that only traffic sourced from the management network is allowed to access the router. This would include both management and control plane traffic. Step 1: Verify that an inbound filter has been applied to loopback interface. This filter is used to restrict all traffic to the router engine. The interface configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { no-redirects; filter { input router-protect-filter; } address 10.1.3.41/32; } } } } Note: the address block used for loopback addresses should be independent of the address space used for the management backbone, the NOC, or the local management subnet. Loopback address should be configured with /32 prefixes to enable proper route advertisements and optimum path reachability for both control plane and management plane traffic within the global management network. Step 2: Determine the address block of the management network at the NOC. In the example configuration below, the 10.2.2.0/24 is the management network at the NOC. Step 3: Verify that the ACL referenced by the ip receive acl statement restricts all management plane traffic to the validated network management address block at the NOC. Management traffic can include telnet, SSH, SNMP, TACACS, RADIUS, TFTP, TFTP, FTP, and ICMP. Control plane traffic from OOBM backbone neighbors should also be allowed to access the router. The filter configuration should look similar to the following: firewall { filter router-protect-filter { term ospf-neighbors { from { source-address { 10.2.2.0/24; } protocol ospf; } then { syslog; accept; } } term ssh-access { from { source-address { 10.2.2.0/24; } protocol tcp; destination-port ssh; } then { syslog; accept; } } term snmp-access { from { source-address { 10.2.2.24/32; 10.2.2.25/32; } protocol udp; destination-port snmp; } then { syslog; accept; } } term tacacs-access { from { source-address { 10.2.2.30/32; } protocol tcp; port tacacs-ds; } then { syslog; accept; } } term ftp-access { from { source-address { 10.2.2.77/32; } protocol tcp; port [ftp ftp-data]; } then { syslog; accept; } } term allow-ICMP { from { source-address { 10.2.2.0/24; } protocol icmp; } then accept; } term default-action { then { syslog; discard; } } } }
Fix: F-17732r1_fix
Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface ingress ACLs.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0988
- Vuln IDs
-
- V-17818
- Rule IDs
-
- SV-19304r1_rule
Checks: C-20205r1_chk
Examine the egress filter on the OOBM interface of the gateway router to verify that only traffic sourced from the management address space is allowed to transit the OOBM backbone. In the example configurations below, the 10.1.1.0/24 is the management network address space at the enclave or managed network and 10.2.2.0/24 is the management network address space at the NOC. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { filter { output OOBM-egress-filter; } address 10.1.20.3/24; } } } } firewall { filter OOBM-egress-filter { term allow-mgmt { from { source-address { 10.1.1.0/24; } destination-address { 10.2.2.0/24; } } then { accept; } } … … … term default-action { then { syslog; discard; } } } }
Fix: F-17733r1_fix
Configure the OOBM gateway router interface ACLs to ensure traffic from the managed network does not leak into the management network.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0989
- Vuln IDs
-
- V-17819
- Rule IDs
-
- SV-19306r1_rule
Checks: C-20207r1_chk
Examine the ingress filter on the OOBM interface of the gateway router to verify that traffic is only destined to the local management address space. In the example configurations below, the 10.1.1.0/24 is the local management network address space at the enclave or managed network and 10.2.2.0/24 is the management network address space at the NOC. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } fe-0/0/2 { description “link to our Management LAN” unit 0 { family inet { address 10.1.1.2/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { filter { input OOBM-ingress-filter; output OOBM-egress-filter; } address 10.1.20.3/24; } } } firewall { filter OOBM-ingress-filter { term allow-mgmt { from { source-address { 10.2.2.0/24; } destination-address { 10.1.1.0/24; } } then { accept; } } … … term default-action { then { syslog; discard; } } } }
Fix: F-17734r2_fix
Configure access control lists or filters to block any traffic from the management network destined for the managed network's production address spaces.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0991
- Vuln IDs
-
- V-17821
- Rule IDs
-
- SV-20206r2_rule
Checks: C-22336r2_chk
After determining which interface is connected to the OOBM access switch, review the managed device configuration and verify that the interface has been assigned an address from the local management address block. In this example, that is 10.1.1.0/24. interfaces { fxp0 { description “link to OOBM access switch” unit 0 { family inet { address 10.1.1.22/24; } } }
Fix: F-17736r2_fix
Configure the OOB management interface with an IP address from the address space belonging to the OOBM network.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0992
- Vuln IDs
-
- V-17822
- Rule IDs
-
- SV-20209r1_rule
Checks: C-20311r2_chk
Step 1: Verify that the managed interface has an inbound and outbound filter configured as shown in the following example: interfaces { fe-0/0/2 { description “link to our Management LAN” unit 0 { family inet { filter { input OOBM-ingress-filter; output OOBM-egress-filter; } address 10.1.1.22/24; } } } Step 2: Verify that the ingress filter blocks all transit traffic—that is, any traffic not destined to the router itself. In addition, traffic accessing the managed elements should be originated at the NOC. In the example the management network at the NOC is 10.2.2.0/24. firewall { filter OOBM-ingress-filter { term allow-mgmt { from { source-address { 10.2.2.0/24; } destination-address { 10.1.1.22/32; } } then { accept; } } … … … term default-action { then { syslog; discard; } } } } Step 3: Verify that the egress filter blocks any traffic exiting the management interface that was not originated by the managed elements . Verify that the destination address is the NOC address space. firewall { filter OOBM-egress-filter { term allow-mgmt { from { source-address { 10.1.1.22/32; } destination-address { 10.2.2.0/24; } } then { accept; } } … … … term default-action { then { syslog; discard; } } } }
Fix: F-17737r2_fix
If the management interface is a routed interface, it must be configured with both an ingress and egress ACL. The ingress ACL should block any transit traffic, while the egress ACL should block any traffic that was not originated by the managed network device.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0993
- Vuln IDs
-
- V-17823
- Rule IDs
-
- SV-19335r2_rule
Checks: C-20314r4_chk
If the managed network element is a layer 3 device, review the configuration to verify the management interface is configured as passive for the IGP instance for the managed network. With JUNOS, routing protocols are enabled on the interfaces by specifying the interface under the routing protocol hierarchy. The following configuration would be an example where OSPF is only enabled on all interfaces except the management interface: interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } fe-0/0/2 { description “link to our Management LAN” unit 0 { family inet { filter { input OOBM-ingress-filter; output OOBM-egress-filter; } address 10.1.1.22/24; } } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; } } }
Fix: F-17738r2_fix
Configure the management interface as passive for the IGP instance configured for the managed network. Depending on the platform and routing protocol, this may simply require that the interface or its IP address is not included in the IGP configuration.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1005
- Vuln IDs
-
- V-17834
- Rule IDs
-
- SV-19309r1_rule
Checks: C-20258r1_chk
Review the router configuration and verify that an inbound ACL has been configured for the management network sub-interface as illustrated in the following example configuration: interfaces fe-1/1/1 { vlan-tagging; unit 10 { family inet { filter { input ingress-mgmt-vlan-filter; } address 10.1.1.1/24; } } } firewall { filter ingress-mgmt-vlan-filter { term …
Fix: F-17751r1_fix
If a router is used to provide inter-VLAN routing, configure an inbound ACL for the management network sub-interface for the trunk link to block non-management traffic.
- RMF Control
- Severity
- M
- CCI
- Version
- NET1006
- Vuln IDs
-
- V-17835
- Rule IDs
-
- SV-19311r1_rule
Checks: C-20260r1_chk
Verify that all traffic from the managed network to the management network and vice-versa is secured via IPSec encapsulation. In the configuration examples, 10.2.2.0/24 is the management network at the NOC and 192.168.1.0/24 is address space used at the network being managed (i.e., the enclave). Example from a show services command with Juniper M or T series router with Adaptive Services PIC using next-hop style is as follows: service-set vpn-to-NOC { next-hop-service { inside-service-interface sp-0/0/0.1; outside-service-interface sp-0/0/0.2; } ipsec-vpn-options { local-gateway 19.16.1.1; } ipsec-vpn-rules site-to-NOC; } ipsec-vpn { rule site-to-NOC { term mgmt-traffic { } destination-address { 10.2.2.0/24; } } then remote-gateway 19.16.2.1; dynamic { ike-policy main_mode_ike_policy; ipsec-policy dynamic_ipsec_policy; } } } match-direction input; } ipsec { proposal esp_sha1_ipsec_prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy dynamic_ipsec_policy { perfect-forward-secrecy { keys group2; } proposals esp_sha1_ipsec_prop; } } ike { proposal psk_sha1_3des_ike_prop { authentication-method pre-shared-keys; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy main_mode_ike_policy { mode main; proposals psk_sha1_3des_ike_prop; pre-shared-key ascii-text “$7#$AAtBRmNOjH”; ##SECRET-DATA } } } Note: Juniper recommends implementing all Layer 3 services with the next-hop-style service set as opposed to the interface-style. When you configure next-hop-style service sets, you associate them with specific inside and outside logical interfaces. These logical interfaces are units you configure on an AS PIC’s sp- interface as illustrated below: interfaces { sp-0/0/0 { unit 0 { family inet; } unit 1 { description "IPSec Tunnel Inside Service Interface"; family inet; service-domain inside; } unit 2 { description "IPSec Tunnel Outside Service Interface"; family inet; service-domain outside; } } … … } The router must be configured to match the traffic that is to be secured in the outbound direction. For next-hop service sets, this is the input direction as configured via match-direction input command as shown above under the services ipsec-vpn hierarchy. You configure the router to route traffic to the inside or outside interface as shown in the following example: routing-options { static { route 10.2.2.0/24 next-hop sp-0/0/0.1; } }
Fix: F-17752r1_fix
Where IPSec technology is deployed to connect the managed network to the NOC, it is imperative that the traffic entering the tunnels is restricted to only the authorized management packets based on destination address.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1007
- Vuln IDs
-
- V-17836
- Rule IDs
-
- SV-19314r1_rule
Checks: C-20263r1_chk
Review the configuration of the MLS or router to determine if the management traffic is classified and marked to a favorable PHB at the distribution layer. According to the DISN approved QoS classifications, control plane and management plane traffic should use DSCP 48 (Network-Control PHB). In the example configurations below, an infrastructure router within the managed network’s distribution layer will classify and mark at ingress all traffic destined to management network with DSCP 48. firewall { family inet { filter set-FC-to-network-control { term match-management-network-prefix { from { destination-address { 10.10.10.0/24; } } then { forwarding-class network-control; accept; } } term accept-all { then accept; } } } } interfaces { fe-0/0/2 { description “link to LAN1” unit 0 { family inet { filter { input set-FC-to-network-control; } address 192.168.1.1/24; } } } fe-0/0/2 { description “link to LAN2” unit 0 { family inet { filter { input set-FC-to-network-control; } address 192.168.2.1/24; } } } ge-0/0/1 { description “link to core” unit 0 { family inet { address 192.168.2.1/24; } } } } By default, rewrite rules are not applied to interfaces. Without rewriting the DSCP value in the packet, the packet will be transmitted with the original value prior to classifying by the local router. To apply a rewrite rule, you can either use the default rules or design new rules. In either case, you must apply the rules to the outgoing interface under the class-of-service hierarchy as shown in the following configuration: class-of-service { interfaces { ge-0/0/1 { unit 0 { rewrite-rules { dscp default; } } } } }
Fix: F-17756r1_fix
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.
- RMF Control
- Severity
- L
- CCI
- Version
- NET1008
- Vuln IDs
-
- V-17837
- Rule IDs
-
- SV-19316r1_rule
Checks: C-20265r1_chk
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic. This will ensure that management traffic receives guaranteed bandwidth at each forwarding device along the path to the management network. Step 1: Verify that all internal or core router interfaces are bound to a DSCP classifier and that both CE-facing and core-facing interfaces have a forwarding-class policy defined (i.e. scheduler-map) as shown in the configuration below: class-of-service { interfaces { fe-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp access-classifier; } rewrite-rules { dscp basic-rewrite-rules; } } } ge-* { scheduler-map MAP-FC-Policy; unit 0 { classifiers { dscp core-classifier; } } } } } Step 2: Verify that the classifier places traffic in the appropriate forwarding class according to the approved DSCPs as shown in the example below: class-of-service { classifiers { dscp access-classifier { forwarding-class best-effort { loss-priority high code-points 000000; } forwarding-class data-AF13-AF23 { loss-priority high code-points 001110; loss-priority low code-points 010110; } forwarding-class video-AF33-AF43 { loss-priority high code-points 011110; loss-priority low code-points 100110; } forwarding-class voice-EF { loss-priority low code-points 101110; } forwarding-class network-control { loss-priority low code-points 110000; } } } } Step 3: Verify that the forwarding classes are associated with the correct queues and polices (i.e., schedulers) as shown in the example below: class-of-service { forwarding-classes { queue 0 best-effort; queue 1 data-AF13-AF23; queue 2 video-AF33-AF43; queue 3 voice-EF; queue 4 network-control; } scheduler-maps { MAP-FC-Policy { forwarding-class best-effort scheduler Q0-best-effort; forwarding-class data-AF13-AF23 scheduler Q1-data; forwarding-class video-AF33-AF43 scheduler Q2-video; forwarding-class voice-EF scheduler Q3-voice; forwarding-class network-control scheduler Q4-network-control; } schedulers { Q0-best-effort { transmit-rate percent 20; buffer-size percent 20; drop-profile-map loss-priority low protocol any drop-profile be-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile be-high-drop-profile; priority low; } Q1-data { transmit-rate percent 35; buffer-size percent 30; drop-profile-map loss-priority low protocol any drop-profile data-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile data-high-drop-profile; priority low; } Q2-video { transmit-rate percent 40; buffer-size percent 35; drop-profile-map loss-priority low protocol any drop-profile video-low-drop-profile; drop-profile-map loss-priority high protocol any drop-profile video-high-drop-profile; priority low; } Q3-voice { buffer-size percent 10; priority strict-high; } Q4-network-control { transmit-rate percent 5; buffer-size percent 5; priority high; } } drop-profiles { video -high-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } video -low-drop-profile { fill-level 40 drop-probability 30; fill-level 60 drop-probability 50; fill-level 80 drop-probability 60; fill-level 100 drop-probability 100; } data-high-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } data-low-drop-profile { fill-level 30 drop-probability 30; fill-level 50 drop-probability 50; fill-level 70 drop-probability 60; fill-level 90 drop-probability 100; } be-high-drop-profile { fill-level 20 drop-probability 30; fill-level 40 drop-probability 50; fill-level 60 drop-probability 60; fill-level 80 drop-probability 100; } be-low-drop-profile { fill-level 25 drop-probability 30; fill-level 45 drop-probability 50; fill-level 65 drop-probability 60; fill-level 85 drop-probability 100; } } } Note: Scheduling policy maps configure the forwarding classes that represent packet queues for the physical interfaces that they are bound to. On M-series and T-series platforms, you can configure one queue per interface to have strict-high priority, which works the same as high priority, but provides unlimited transmission bandwidth. Hence, there is no need to define a transmit-rate for a strict-high priority queue. As long as the queue with strict-high priority has traffic to send, it receives precedence over all other queues, except queues with high priority. Queues with strict-high and high priority take turns transmitting packets until the strict-high queue is empty, the high priority queues are empty, or the high priority queues run out of bandwidth credit. Only then can lower priority queues send traffic. If only 4 queues are supported by the interface, map two classes into one queue as shown in the following example: class-of-service { restricted-queues { forwarding-class best-effort queue 0; forwarding-class data-AF13-AF23 queue 0; forwarding-class video-AF33-AF4 queue 1; forwarding-class voice-EF 2; forwarding-class network-control queue 3; } }
Fix: F-17757r1_fix
When management traffic must traverse several nodes to reach the management network, ensure that all core routers within the managed network have been configured to provide preferred treatment for management traffic.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-SRVFRM-003
- Vuln IDs
-
- V-18522
- Rule IDs
-
- SV-20061r2_rule
Checks: C-21297r5_chk
Review the device configuration to validate an ACL with a deny-by-default security posture has been implemented on the server VLAN interface.
Fix: F-19125r4_fix
Configure an ACL to protect the server VLAN interface. The ACL must be in a deny-by-default security posture.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-TUNL-012
- Vuln IDs
-
- V-18790
- Rule IDs
-
- SV-20504r2_rule
Checks: C-22501r1_chk
Identify the tunnel endpoints, then review all routing devices to ensure the tunnel entry point is not used as a default route. Traffic destined to the tunnel should be directed to the tunnel endpoint by static routes, policy based routing, or by the mechanics of the interior routing protocol, but not by default route statements.
Fix: F-19446r1_fix
The SA must carefully plan and configure or let IGP determine what goes into each tunnel.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0966
- Vuln IDs
-
- V-19188
- Rule IDs
-
- SV-21168r2_rule
Checks: C-23286r3_chk
There are numerous rate limiters built into both the Packet Forwarding Engine and the RE to manage exception traffic to and from the RE. Traffic destined to the system is prioritized upon receipt based on protocol in the PFE (forwarding plane). Legitimate traffic bound for the RE is throttled and queued based on protocol priority and appropriately scheduled for transmission across the PFE to RE interface. Juniper is unique. For the most part, ICMP processing is processed by the PFE. This is especially helpful for packets with a next-hop of discard. The forwarding board generates the ICMP unreachable, not the routing engine. These mechanisms aren't configurable and have always been part of the Juniper M/T series architecture. In addition, Juniper handles fragmentation in the data plane, not the RE. Step 1: Verify that an inbound filter has been applied to the loopback interface to restrict traffic destined to the router. The interface configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { no-redirects; filter { input router-protect-filter; } address 10.10.2.1/32 } } } } Step 2: Verify the filter bound to the router’s loopback address restricts all control plane and management plane traffic. The filter configuration should look similar to the following: firewall { filter router-protect-filter { /* police management and ICMP traffic */ policer mgmt-128k { if-exceeding { bandwidth-limit 128k; burst-size-limit 2k; } then discard; } policer mgmt-64k { if-exceeding { bandwidth-limit 64k; burst-size-limit 1k; } then discard; } policer icmp-64k { if-exceeding { bandwidth-limit 64k; burst-size-limit 1k; } then discard; } /* drop framgmented ICMP messages */ term fragmented-icmp { from { protocol icmp; is-fragment; } then { syslog; discard; } } /* allow specific management plane traffic */ term ssh-access { from { source-address { 192.168.1.0/24; } protocol tcp; destination-port ssh; } then { policer mgmt-64k; accept; } } term snmp-access { from { source-address { 192.168.1.22/32; 192.168.1.24/32; } protocol udp; destination-port snmp; } then { policer mgmt-128k; accept; } } term tacacs-access { from { source-address { 192.168.1.101/32; } protocol tcp; port tacacs-ds; } then { policer mgmt-64k; accept; } } term ntp-access { from { source-address { 192.168.1.70/32; 192.168.1.77/32; } protocol udp; port ntp; } then { policer mgmt-64k; accept; } } term allow-ICMP { from { source-address { 192.168.1.0/24; } protocol icmp; } then { policer icmp-64k; accept; } } /* allow specific control plane traffic */ term guard-bgp { from { source-address { 199.21.32.11/32; 199.21.32.12/32; } protocol tcp; port bgp; } then { syslog; accept; } } term guard-ospf { from { source-address { 199.21.32.11/32; 199.21.32.12/32; } protocol ospf; } then { syslog; accept; } } … … … term default-action { then { syslog; discard; } } } }
Fix: F-19812r1_fix
Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.
- RMF Control
- Severity
- L
- CCI
- Version
- NET-MCAST-010
- Vuln IDs
-
- V-19189
- Rule IDs
-
- SV-21170r1_rule
Checks: C-23288r1_chk
The following examples will establish a multicast boundary on the interface to ensure that Local-scope IPv4 traffic or Site-local scope IPv6 traffic is not allowed into or out of the administratively scoped multicast region. You can configure multicast scoping with a scope statement or with a scope-policy statement as shown in the examples. Example using the scope statement routing-options { multicast { scope ipv4-administrative-scope { interface [fe-1/1/1 fe-1/1/2]; prefix 239.255.0.0/16; } scope ipv6-administrative-scope { interface [fe-1/1/1 fe-1/1/2]; prefix FF05::/16; } } } Example using the scope-policy statement routing-options { multicast { scope-policy block-admin-scope; } } . . . policy-options { policy-statement block-admin-scope { term reject-i { from { route-filter 239.255.0.0/16 orlonger; route-filter FF08::/16 orlonger; } then reject; } } }
Fix: F-19813r1_fix
Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local and 5 is Site-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.
- RMF Control
- Severity
- L
- CCI
- Version
- NET0812
- Vuln IDs
-
- V-23747
- Rule IDs
-
- SV-41498r1_rule
Checks: C-12792r2_chk
Review the router or switch configurations and verify that two or more NTP servers have been defined similar to the following example: [edit system] ntp { boot-server 129.237.32.2; server 129.237.32.2; server 142.181.31.6; } Note: The boot-server statement identifies the server from which the initial time of day and date is obtained when the router boots. The server statements identify the NTP servers used for periodic time synchronization.
Fix: F-3044r2_fix
Configure the device to use two separate NTP servers.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0405
- Vuln IDs
-
- V-28784
- Rule IDs
-
- SV-36774r5_rule
Checks: C-35853r4_chk
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Fix: F-31103r2_fix
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-MCAST-001
- Vuln IDs
-
- V-30577
- Rule IDs
-
- SV-40313r1_rule
Checks: C-39165r1_chk
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Review the router or multi-layer switch configuration to determine if multicast routing is enabled and what interfaces are enabled for PIM. Review the interfaces that have been defined under the protocols PIM hierarchy and verify that they all need to support multicast routing. When using the explicit interface declarations, the configuration would look similar to the following: protocols { pim { interface so-7/0/1.0 { mode sparse; version 2; } interfaces ge-0/3/0.0 { mode sparse; version 2; } … … … } If the interface all statement is used, verify that interfaces not supporting multicast routing have PIM disabled using the disable keyword. The configuration would look similar to the following: protocols { pim { interface all { mode sparse; version 2; } interface fx0.0 { disable; } interfaces fe-1/1/1 { disable; } interfaces fe-1/1/2 { disable; } } }
Fix: F-34295r1_fix
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM is documented in the network’s multicast topology diagram. Enable PIM only on the applicable interfaces according to the multicast topology diagram.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-MCAST-002
- Vuln IDs
-
- V-30578
- Rule IDs
-
- SV-40316r1_rule
Checks: C-39169r1_chk
Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram. JUNOS does not have a PIM neighbor filter; Hence, a firewall filter will have to be used similar to the example shown below. Step 1: Verify that an input filter is configured that will specify the allowable PIM neighbors similar to the following example. firewall { filter input-filter { term pim-neighbors { from { source-address { 192.0.2.1/32; 192.0.2.3/32; } destination-address { 224.0.0.13/32; } protocol pim; } then accept; } term … Step 2: Verify that an input filter is applied to all PIM enabled interfaces. The configuration should look similar to the following: interfaces fe-1/1/1 { unit 0 { family inet { filter { input input-filter; } address 192.0.2.2/32; } } } To determine which interfaces are enabled for PIM, review the interface section within the protocols pim hierarchy that will look similar to the following example: protocols { … pim { interface all { mode sparse; } } }
Fix: F-34301r1_fix
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.
- RMF Control
- Severity
- L
- CCI
- Version
- NET-IPV6-059
- Vuln IDs
-
- V-30617
- Rule IDs
-
- SV-40390r1_rule
Checks: C-39254r1_chk
Review the router or multi-layer switch configuration to determine if the default maximum hop limit has been configured. If it has been configured, then it must be set to at least 32. protocols { … … router-advertisement { interface [fe-1/1/1 fe-1/1/2] { current-hop-limit 128; } … } } Note: The JUNOS default is 64. Hence, if the hop limit is not configured, the router will be in compliance with the requirement.
Fix: F-34363r2_fix
Configure maximum hop limit to at least 32.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-IPV6-065
- Vuln IDs
-
- V-30660
- Rule IDs
-
- SV-40455r1_rule
Checks: C-39285r1_chk
Currently JUNOS does not support 6to4 automatic tunneling so this vulnerability is not applicable
Fix: F-34388r1_fix
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
- RMF Control
- Severity
- L
- CCI
- Version
- NET-IPV6-066
- Vuln IDs
-
- V-30736
- Rule IDs
-
- SV-40541r1_rule
Checks: C-39312r1_chk
Currently JUNOS does not support 6to4 automatic tunneling so this vulnerability is not applicable
Fix: F-34421r1_fix
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.
- RMF Control
- Severity
- M
- CCI
- Version
- NET-TUNL-034
- Vuln IDs
-
- V-30744
- Rule IDs
-
- SV-40557r1_rule
Checks: C-39322r1_chk
Currently JUNOS does not support L2TPv3 so this vulnerability is not applicable.
Fix: F-34428r1_fix
Configure L2TPv3 to use authentication for any peering sessions.
- RMF Control
- Severity
- M
- CCI
- Version
- NET0408
- Vuln IDs
-
- V-31285
- Rule IDs
-
- SV-41556r2_rule
Checks: C-40050r1_chk
Review the router configuration to determine if authentication is being used for all peers. An authentication key should be defined for each BGP neighbor regardless of the autonomous system the peer belongs as shown in the following example: protocols bgp { group external-peers { type external; neighbor 171.69.232.90 { peer-as 200; authentication-key xxxxx; } neighbor 171.69.232.100 { peer-as 300; authentication-key xxxxx; } } } Note: The authentication-key statement can be applied at the BGP level, at the group level, or at the neighbor level.
Fix: F-14123r2_fix
Configure the device to authenticate all BGP peers.