STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Juniper Router RTR Security Technical Implementation Guide

V-217076

CAT I (High)

The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.

Rule ID

SV-217076r604135_rule

STIG

Juniper Router RTR Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-001097

Discussion

IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. IP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, non-optimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.

Check Content

Review the router configuration to verify that an ingress filter is applied to all CE-facing interfaces. 

interfaces {
    ge-0/1/0 {
        description "link to Customer 2";
        unit 0 {
            family inet {
                filter {
                    input INGRESS_FILTER;
                }
                address x.x.x.x/30;
            }
        }
    }

Verify that the ingress filter discards and logs packets destined to the IP core address space. 

firewall {
    family inet {
        filter INGRESS_FILTER {
            term BLOCK_TO_CORE {
                from {
                    destination-address {
                        x.x.x.x/8;
                    }
                }
                then {
                    log;
                    discard;
                }
            }
            term ALLOW_TRANSIT_TRAFFIC {
                then accept;
            }
        }
    }

If the PE router is not configured to block any traffic with a destination address assigned to the IP core infrastructure, this is a finding.

Note: Internet Control Message Protocol (ICMP) echo requests and traceroutes will be allowed to the edge from external adjacent neighbors.

Fix Text

Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure.

Configure an ingress filter to discard and log packets destined to the IP core address space. 

[edit firewall family inet]
set filter INGRESS_FILTER term BLOCK_TO_CORE from destination-address x.x.x.x/8
set filter INGRESS_FILTER term BLOCK_TO_CORE then log discard
set filter INGRESS_FILTER term ALLOW_TRANSIT_TRAFFIC then accept

Apply the filter inbound to all CE-facing interfaces.

[edit interfaces ge-0/1/0 unit 0]
set family inet filter input INGRESS_FILTER