The Juniper router must be configured to restrict traffic destined to itself.

From Juniper Router RTR Security Technical Implementation Guide

Part of SRG-NET-000205-RTR-000001

Associated with: CCI-001097

JUNI-RT-000130_rule The Juniper router must be configured to restrict traffic destined to itself.

Vulnerability discussion

The router must be able to securely handle specific control plane and management plane traffic that is destined to it. Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receive path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Applying a small and manageable filter directly on the router’s receive path to restrict this traffic is considered an industry best practice.

Check content

Review the filter for the router’s receive path and verify that it will only allow specific management plane traffic from specific sources. Verify filter has been configured as shown in the example below firewall { family inet { … … … } filter DESTINED_TO_RP { term ALLOW_OSPF { from { protocol ospf; } then accept; } term ALLOW_BGP { from { source-address { 11.1.12.1/32; 11.1.23.3/32; 11.1.25.5/32; } protocol tcp; port bgp; } } term FILTER_TCP { from { destination-address { 11.1.12.0/24; } protocol tcp; destination-port [ ssh tacacs telnet snmp ]; } then accept; } term FILTER_UDP { from { destination-address { 11.1.12.0/24; } protocol udp; destination-port ntp; } then accept; } term ICMP_ANY { from { protocol icmp; } then accept; } term DENY_BY_DEFAULT { then { log; discard; } } } } Verify input filter has been applied to loopback interface as shown in the example below interfaces { … … … lo0 { unit 0 { family inet { filter { input-list [ DESTINED_TO_RP CoPP_Policy ]; } address 2.2.2.2/32; } } } } If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Fix text

Configure the router’s receive path filters to restrict traffic destined to the router. Configure a filter to define what traffic should be received by the route processor. [edit firewall family inet] set filter DESTINED_TO_RP term FILTER_TCP from destination-address 11.1.12.0/24 set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port ssh set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port tacacs set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port snmp set filter DESTINED_TO_RP term FILTER_TCP then accept set filter DESTINED_TO_RP term FILTER_UDP from destination-address 11.1.12.0/24 set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port ntp set filter DESTINED_TO_RP term FILTER_UDP then accept set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp then accept set filter DESTINED_TO_RP term DENY_BY_DEFAULT then log discard Apply the filter to the loopback interface. [edit interfaces lo0 unit 0 family inet] set filter input-list DESTINED_TO_RP

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer