From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000364-RTR-000111
Associated with: CCI-002403
LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices, thereby enabling the application to send SNMP queries to those devices. LLDPs are also media- and protocol-independent as they run over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing LLDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.
This requirement is not applicable for the DoDIN Backbone. Review all router configurations to ensure LLDP is not enabled external interface. protocols { … … … lldp { advertisement-interval 30; interface all; } } If LLDP is configured globally or on any external interface, this is a finding.
This requirement is not applicable for the DoDIN Backbone. Disable LLDP on all external interfaces. If necessary, remove the interface all parameter and define all internal interfaces as shown in the example below. [edit protocols lldp] delete interface all set interface ge-0/1/0 set interface ge-0/1/1
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer