From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000362-RTR-000110
Associated with: CCI-002385
The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages.
Determine whether control plane protection has been implemented on the router. Verify that a CoPP policy has been configured that classifies traffic types into levels of importance. firewall { family inet { … … … } filter CoPP_Policy { term CRITICAL { from { protocol [ ospf pim tcp ]; source-port bgp; destination-port bgp; } then policer CRITICAL_POLICER; } term IMPORTANT { from { protocol [ tcp udp ]; destination-port [ ssh tacacs snmp ntp ]; } then { policer IMPORTANT_POLICER; } } term NORMAL { from { protocol icmp; icmp-type [ echo-reply echo-request ]; icmp-code [ port-unreachable ttl-eq-zero-during-transit ]; } then policer NORMAL_POLICER; } term UNDESIRABLE { from { protocol udp; } then policer UNDESIRABLE_POLICER; } term ALL-OTHER { from { address { 0.0.0.0/0; } } then policer ALL-OTHER_POLICER; } } } Verify that policers have been configured to rate limit traffic types. firewall { family inet { … … … } policer CRITICAL_POLICER { filter-specific; if-exceeding { bandwidth-limit 3m; burst-size-limit 4k; } then discard; } policer IMPORTANT_POLICER { filter-specific; if-exceeding { bandwidth-limit 400k; burst-size-limit 1500; } then discard; } policer NORMAL_POLICER { filter-specific; if-exceeding { bandwidth-limit 55k; burst-size-limit 1500; } then discard; } policer UNDESIRABLE_POLICER { filter-specific; if-exceeding { bandwidth-limit 32k; burst-size-limit 1500; } then discard; } policer ALL-OTHER_POLICER { filter-specific; if-exceeding { bandwidth-limit 40k; burst-size-limit 1500; } then discard; } Verify that the CoPP policy has been applied to the loopback interface as shown in the example below interfaces { … … … lo0 { unit 0 { family inet { filter { input CoPP_Policy; } address 2.2.2.2/32; } } } } If the router does not have control plane protection implemented, this is a finding.
Implement control plane protection by classifying traffic types based on importance and rate limit the traffic accordingly as shown in the example below. Create filters for critical, important, normal, and undesirable traffic set firewall filter CoPP_Policy term CRITICAL from protocol ospf set firewall filter CoPP_Policy term CRITICAL from protocol pim set firewall filter CoPP_Policy term CRITICAL from protocol tcp destination-port bgp set firewall filter CoPP_Policy term CRITICAL from protocol tcp source-port bgp set firewall filter CoPP_Policy term CRITICAL then policer CRITICAL_POLICER set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ssh set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port tacacs set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port snmp set firewall filter CoPP_Policy term IMPORTANT from protocol tcp destination-port ntp set firewall filter CoPP_Policy term IMPORTANT then policer IMPORTANT_POLICER set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code ttl-eq-zero-during-transit set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-code port-unreachable set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-reply set firewall filter CoPP_Policy term NORMAL from protocol icmp icmp-type echo-request set firewall filter CoPP_Policy term NORMAL then policer NORMAL_POLICER set firewall filter CoPP_Policy term UNDESIRABLE from protocol udp set firewall filter CoPP_Policy term UNDESIRABLE then policer UNDESIRABLE_POLICER set firewall filter CoPP_Policy term ALL-OTHER from address 0.0.0.0/0 set firewall filter CoPP_Policy term ALL-OTHER then policer ALL-OTHER_POLICER Create policers for each traffic type to limit bandwidth set firewall policer CRITICAL_POLICER filter-specific set firewall policer CRITICAL_POLICER if-exceeding bandwidth-limit 3000000 burst-size-limit 4000 set firewall policer CRITICAL_POLICER then discard set firewall policer IMPORTANT_POLICER filter-specific set firewall policer IMPORTANT_POLICER if-exceeding bandwidth-limit 400000 burst-size-limit 1500 set firewall policer IMPORTANT_POLICER then discard set firewall policer NORMAL_POLICER filter-specific set firewall policer NORMAL_POLICER if-exceeding bandwidth-limit 55000 burst-size-limit 150000 set firewall policer NORMAL_POLICER then discard set firewall policer UNDESIRABLE_POLICER filter-specific set firewall policer UNDESIRABLE_POLICER if-exceeding bandwidth-limit 32000 burst-size-limit 1500 set firewall policer UNDESIRABLE_POLICER then discard set firewall policer ALL-OTHER_POLICER filter-specific set firewall policer ALL-OTHER_POLICER if-exceeding bandwidth-limit 40000 burst-size-limit 1500 set firewall policer ALL-OTHER_POLICER then discard Apply the CoPP policy to the loopback interface set interface lo0 unit 0 family inet filter input CoPP_Policy
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer