16:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper EX Series Switches Router Security Technical Implementation Guide"}],false,["$","$L20",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jun 10, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Juniper_EX_RTR_STIG","children":"Juniper_EX_RTR_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":102}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",10]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",63]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",29]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20EX%20Series%20Switches%20Router%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20EX%20Series%20Switches%20Router%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20EX%20Series%20Switches%20Router%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L21",null,{"checks":[{"id":"793d4ea2-65d3-4b20-a363-aa5b586e9751","vulnId":"V-253973","severity":"medium","ruleTitle":"The Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.","description":"Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems.\n\nEnforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, and firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics).","checkContent":"$22","fixText":"$23"},{"id":"773a0990-9cd0-48de-b88e-f37cef5e187b","vulnId":"V-253974","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.","description":"Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.\n\nThe list of Bogon addresses can change, based upon new address range assignments, and must be reviewed to ensure filters remain current.","checkContent":"$24","fixText":"$25"},{"id":"0c7372c1-75b9-41e3-a47c-ce6fcb0a5737","vulnId":"V-253975","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).","description":"Accepting route advertisements belonging to the local AS can result in traffic looping, being black holed, or at a minimum using a nonoptimized path.","checkContent":"$26","fixText":"$27"},{"id":"bf3d797c-3312-461f-904c-43d0a66aa102","vulnId":"V-253976","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.","description":"As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix deaggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.","checkContent":"$28","fixText":"$29"},{"id":"971b7c05-fac5-429f-81dc-3ac67881ba0b","vulnId":"V-253977","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).","description":"Advertisement of routes by an AS for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.","checkContent":"$2a","fixText":"$2b"},{"id":"ec48f272-4a6b-47e6-b105-6ab4a571871d","vulnId":"V-253978","severity":"low","ruleTitle":"The Juniper BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.","description":"Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even internet traffic. All autonomous system boundary routers (ASBRs) must ensure updates received from eBGP peers list their AS number as the first AS in the AS_PATH attribute.","checkContent":"Review the BGP router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.\n\nVerify the configuration of \"enforce-first-as\" at either the BGP global or group level.\n[edit protocols bgp]\ngroup eBGP {\n enforce-first-as;\n neighbor

;\n}\nenforce-first-as;\n\nIf the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.","fixText":"Configure all ASBRs to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.\n\nset protocols bgp group eBGP enforce-first-as\nset protocols bgp group eBGP neighbor

\nset protocols bgp enforce-first-as"},{"id":"ab75def4-1552-4a44-98f0-925f529d13d6","vulnId":"V-253979","severity":"low","ruleTitle":"The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter received source-active multicast advertisements for any undesirable multicast groups and sources.","description":"The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.","checkContent":"$2c","fixText":"Configure the MSDP router to implement an import policy to block multicast advertisements for undesirable multicast groups and sources.\n\nset protocols msdp peer

import source-active-filter\n\nset policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.1.2/32 exact\nset policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.2.2/32 exact\nset policy-options policy-statement source-active-filter term unauth-groups then reject\nset policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 10.0.0.0/8 orlonger\nset policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 127.0.0.0/8 orlonger\nset policy-options policy-statement source-active-filter term unauth-sources then reject"},{"id":"554b4294-c329-41ab-a150-33785e87b83b","vulnId":"V-253980","severity":"low","ruleTitle":"The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.","description":"To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40).\n\nAllowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.","checkContent":"Review the router configuration to determine if there is export policy to block local source-active multicast advertisements.\n\nVerify that an outbound source-active filter is bound to each MSDP peer.\n\n[edit protocols msdp]\npeer

{\n export source-active-filter;\n}\n\nReview the policy-statement referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local.\n\n[edit policy-options]\npolicy-statement source-active-filter {\n term unauth-groups {\n from {\n route-filter 224.0.1.2/32 exact;\n route-filter 224.0.2.2/32 exact;\n }\n then reject;\n }\n term unauth-sources {\n from {\n source-address-filter 10.0.0.0/8 orlonger;\n source-address-filter 127.0.0.0/8 orlonger;\n }\n then reject;\n }\n}\n\nIf the router is not configured with an export policy to block local source-active multicast advertisements, this is a finding.","fixText":"Ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S, G) states.\n\nset protocols msdp peer

export source-active-filter\n\nset policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.1.2/32 exact\nset policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.2.2/32 exact\nset policy-options policy-statement source-active-filter term unauth-groups then reject\nset policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 10.0.0.0/8 orlonger\nset policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 127.0.0.0/8 orlonger\nset policy-options policy-statement source-active-filter term unauth-sources then reject"},{"id":"ac693b05-bdf5-4d87-b5e7-96a5e5b63eff","vulnId":"V-253981","severity":"low","ruleTitle":"The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.","description":"To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.","checkContent":"$2d","fixText":"Configure the MSDP router to limit the amount of source-active messages it accepts from each peer.\n\nset protocols msdp active-source-limit maximum <1..1000000>\nset protocols msdp active-source-limit threshold <1..1000000>\nset protocols msdp active-source-limit log-warning \n\nset protocols msdp peer

active-source-limit maximum <1..1000000>\nset protocols msdp peer

active-source-limit threshold <1..1000000>\nset protocols msdp peer

active-source-limit log-warning "},{"id":"aeb8406a-ef2c-41c4-9ce1-6b2830ecc34f","vulnId":"V-253982","severity":"low","ruleTitle":"The Juniper router configured for BGP must reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.","description":"Verifying the path a route has traversed will ensure that the local AS is not used as a transit network for unauthorized traffic. To ensure that the local AS does not carry any prefixes that do not belong to any customers, all PE routers must be configured to reject routes with an originating AS other than that belonging to the customer.","checkContent":"$2e","fixText":"Configure the router to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.\n\nset policy-options policy-statement bgp_originate_65535 term 1 from as-path orig_65535\nset policy-options policy-statement bgp_originate_65535 term 1 then accept\nset policy-options policy-statement bgp_originate_65535 term 2 then reject\nset policy-options as-path orig_65535 \".* 65535\"\n\nset protocols bgp group eBGP neighbor

import bgp_originate_65535"},{"id":"ab4b52db-2388-47d3-9faa-6dd6a6e3da6f","vulnId":"V-253983","severity":"low","ruleTitle":"The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.","description":"The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Additional war dial attacks on the device could degrade the device and the production network.\n\nSecured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using an authorized MFA token and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.","checkContent":"Review the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it.\n\nThe Junos auxiliary port is disabled by default. Verify the auxiliary port is not configured (there will be no [edit system ports auxiliary] stanza) or that the auxiliary port is explicitly disabled.\n\n[edit system ports]\nauxiliary {\n disable;\n}\n\nIf the auxiliary port is not disabled or is not connected to a secured modem when it is enabled, this is a finding.","fixText":"Disable the auxiliary port.\n\nset system ports auxiliary disable\n-or-\ndelete system ports auxiliary\n\nIf used for out-of-band administrative access, the port must be connected to a secured modem providing encryption and authentication."},{"id":"57d1af3b-b27f-4eea-ae34-c67f135f1277","vulnId":"V-253984","severity":"medium","ruleTitle":"The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.","description":"Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.","checkContent":"$2f","fixText":"$30"},{"id":"26edcbde-6718-4093-abb6-5ab68aa8c868","vulnId":"V-253985","severity":"medium","ruleTitle":"The Juniper router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.","description":"$31","checkContent":"$32","fixText":"Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it.\n\nFor non-PIM routers, verify there is no [edit protocols pim] stanza. If the stanza is present, delete or deactivate it.\ndelete protocols pim\ndeactivate protocols pim\n\nTo disable PIM globally or for all interfaces.\nset protocols pim disable\nset protocols pim interface all disable\n\nFor PIM routers verify only the required interfaces are configured and all others are disabled:\nset protocols pim interface .\nset protocols pim interface all disable"},{"id":"ebb875b9-4f61-471c-9477-a5a63e5c97dc","vulnId":"V-253986","severity":"medium","ruleTitle":"The Juniper router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.","description":"PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled. If a PIM neighbor filter is not applied to those interfaces that have PIM enabled, unauthorized routers can join the PIM domain, discover and use the rendezvous points, and also advertise their rendezvous points into the domain. This can result in a denial of service by traffic flooding or result in the unauthorized transfer of data.","checkContent":"$33","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nConfigure neighbor filters to only accept PIM control plane traffic from documented PIM neighbors. Bind neighbor filters to all PIM enabled interfaces.\n\nset policy-options prefix-list PIM-NEIGHBOR-1 /32\nset policy-options policy-statement PIM-NBR-1 from prefix-list PIM-NEIGHBOR-1\nset policy-options policy-statement PIM-NBR-1 then accept\n\nset protocols pim interface . mode sparse\nset protocols pim interface . neighbor-policy PIM-NBR-1\nset protocols pim interface all disable"},{"id":"e180f7ab-4ea3-461e-9e2d-4fd7ef6d4612","vulnId":"V-253987","severity":"low","ruleTitle":"The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.","description":"If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.\n\nAdministrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.\n\nAdmin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.","checkContent":"Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge.\n\nVerify either a scope is defined for specific interfaces or a scope policy is applied.\n[edit routing-options multicast]\nscope { \n prefix 239.0.0.0/8;\n interface [ ];\n}\nscope { \n prefix ff08::/16;\n interface [ ];\n}\n\n-or-\n\n[edit policy-options]\npolicy-statement {\n term 1 {\n from {\n route-filter 239.0.0.0/8 orlonger;\n route-filter ff08::/16 orlonger;\n }\n then reject;\n }\n}\n[edit routing-options multicast]\nscope-policy \n\nIf the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.","fixText":"Configure the policy to deny packets with multicast administratively scoped destination addresses.\nset routing-options multicast scope prefix 239.0.0.0/8;\nset routing-options multicast scope prefix ff08::/16;\n\n-or-\n\nset policy-options policy-statement term 1 from route-filter 239.0.0.0/8 orlonger\nset policy-options policy-statement term 1 from route-filter ff08::/16 orlonger\n\nApply the multicast boundary at the appropriate interfaces.\nset routing-options multicast scope interface [ ]\nset routing-options multicast scope interface [ ]\n\n-or-\n\nset routing-options multicast scope-policy "},{"id":"6c008b58-2e43-4231-a3e1-3390454f947b","vulnId":"V-253988","severity":"low","ruleTitle":"The Juniper router must be configured to have all inactive interfaces disabled.","description":"An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use.\n\nIf an interface is no longer used, the configuration must be deleted and the interface disabled. For logical interfaces, delete those that are on inactive interfaces and delete logical interfaces that are themselves inactive. If the logical interface is no longer necessary for authorized communications, it must be deleted.","checkContent":"$34","fixText":"Disable inactive interfaces.\n\ndelete interfaces \n-or-\nset interfaces disable\n-or-\nset interfaces interface-range DISABLED_INTERFACES member \nset interfaces interface-range DISABLED_INTERFACES member-range to \nset interfaces interface-range DISABLED_INTERFACES disable"},{"id":"969fc777-42ba-4eec-924c-55f44a33bda6","vulnId":"V-253989","severity":"high","ruleTitle":"The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.","description":"Enclaves with alternate gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate gateway, the perimeter router could be routing transit data from the internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack as well as provide a back door into the NIPRNet. The DOD enclave must ensure the ingress filter applied to external interfaces on a perimeter router connecting to an Approved Gateway is secure through filters permitting packets with a destination address belonging to the DOD enclave's address block.","checkContent":"$35","fixText":"$36"},{"id":"a9d3f241-4ff8-4799-9c1f-513c2e651f00","vulnId":"V-253990","severity":"high","ruleTitle":"The Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.","description":"ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP; thereby creating a backdoor connection from the internet to the NIPRNet.","checkContent":"$37","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nRemove BGP neighbors belonging to the alternate gateway service provider.\n\ndelete protocols bgp group neighbor \n\nConfigure a static route on the perimeter router to reach the AS of a router connecting to an alternate gateway.\n\nset routing-options rib inet6.0 static route / next-hop \nset routing-options static route / next-hop "},{"id":"91e585bd-a9fe-4614-953d-450743c0ccf4","vulnId":"V-253991","severity":"low","ruleTitle":"The Juniper perimeter router must not be configured to redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.","description":"If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to that particular router and not to the Internet Access Point routers. This could not only wreak havoc with traffic flows on NIPRNet, but it could overwhelm the connection from the router to the NIPRNet gateway(s) and also cause traffic destined for outside of NIPRNet to bypass the defenses of the Internet Access Points.","checkContent":"$38","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nConfigure the router so that static routes are not redistributed to an alternate gateway into either an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other autonomous systems.\nset policy-options policy-statement term 1 from protocol static\nset policy-options policy-statement term 1 then reject\n\nset protocols bgp group export \nset protocols bgp group neighbor

export \nset protocols bgp export \n\nset protocols ospf export \nset protocols ospf3 export "},{"id":"f4235c5e-3129-4f15-9151-3311123039cb","vulnId":"V-253992","severity":"medium","ruleTitle":"The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.","description":"If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate Interior Gateway Protocol routing instances is critical on the router to segregate traffic from each network.","checkContent":"$39","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nConfigure the router to enforce that Interior Gateway Protocol instances configured on the OOBM gateway router peer only with their own routing domain.\nset protocols ospf area interface .\n\nset routing-instances instance-type virtual-router\nset routing-instances protocols ospf area interface ."},{"id":"bef30b87-6066-4dc9-959e-e4d698c8ae57","vulnId":"V-253993","severity":"medium","ruleTitle":"The Juniper out-of-band management (OOBM) gateway router must not be configured to redistribute routes between the management network routing domain and the managed network routing domain.","description":"If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries; otherwise, it is possible that management traffic will not be separated from production traffic.\n\nSince the managed network and the management network are separate routing domains, separate Interior Gateway Protocol routing instances must be configured on the router, one for the managed network and one for the OOBM network. In addition, the routes from the two domains must not be redistributed to each other.","checkContent":"$3a","fixText":"$3b"},{"id":"43e5d819-1e94-4f22-9b6e-f6bd3c27a40f","vulnId":"V-253994","severity":"low","ruleTitle":"The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.","description":"Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.","checkContent":"Verify that the RP router is configured to filter PIM register messages from unauthorized multicast groups and sources.\n[edit policy-options]\npolicy-statement {\n term filter_groups {\n from {\n route-filter / orlonger;\n route-filter / exact;\n \n }\n then reject;\n }\n term filter_sources {\n from {\n source-address-filter /32 exact;\n source-address-filter / orlonger;\n \n }\n then reject;\n }\n term accept_others {\n then accept;\n }\n}\n\n[edit protocols pim]\nrp {\n rp-register-policy ;\n} \n\nIf the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and sources, this is a finding.","fixText":"Configure the RP router to filter PIM register messages received from a multicast DR for any undesirable multicast groups or sources.\n\nset policy-options policy-statement term filter_groups from route-filter / \nset policy-options policy-statement term filter_groups from route-filter / \nset policy-options policy-statement term filter_groups then reject\n\nset policy-options policy-statement term filter_source from source-address-filter / \nset policy-options policy-statement term filter_source from source-address-filter / \nset policy-options policy-statement term filter_source then reject\n\nset policy-options policy-statement term accept_others then accept\n\nset protocols pim rp rp-register-policy "},{"id":"8a4e5010-665d-4394-830e-25d4b7e7e92b","vulnId":"V-253995","severity":"low","ruleTitle":"The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.","description":"Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.","checkContent":"$3c","fixText":"RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.\n\nset policy-options policy-statement term filter_groups from route-filter / \nset policy-options policy-statement term filter_groups from route-filter / \nset policy-options policy-statement term filter_groups then reject\n\nset policy-options policy-statement term filter_source from source-address-filter / \nset policy-options policy-statement term filter_source from source-address-filter / \nset policy-options policy-statement term filter_source then reject\n\nset policy-options policy-statement term accept_others then accept\n\nset protocols pim import "},{"id":"099add48-1bed-4ad1-8862-47ed8343f845","vulnId":"V-253996","severity":"medium","ruleTitle":"The Juniper router must be configured to produce audit records containing information to establish where the events occurred.","description":"Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as router components, modules, device identifiers, node names, and functionality.\n\nAssociating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured router.","checkContent":"$3d","fixText":"Configure the router to record the interface in the log record for packets being dropped.\n\nExample firewall filter with logging enabled:\nset firewall family inet filter term 1 from \nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog <<< Must be enabled for all discarding terms\nset firewall family inet filter term 1 then discard\nset firewall family inet6 filter term 1 from \nset firewall family inet6 filter term 1 then log\nset firewall family inet6 filter term 1 then syslog <<< Must be enabled for all discarding terms\nset firewall family inet6 filter term 1 then discard\n\nExample consolidated logging:\nset syslog host any info\nset system syslog file messages any info"},{"id":"52595ae6-e910-4ebf-ad7a-9d62be4b6bea","vulnId":"V-253997","severity":"medium","ruleTitle":"The Juniper router must be configured to produce audit records containing information to establish the source of the events.","description":"Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nTo compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.\n\nIn addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.","checkContent":"$3e","fixText":"Configure the router to record the source address in the log record for packets being dropped.\n\nExample firewall filter with logging enabled:\nset firewall family inet filter term 1 from \nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog <<< Must be enabled for all discarding terms\nset firewall family inet filter term 1 then discard\nset firewall family inet6 filter term 1 from \nset firewall family inet6 filter term 1 then log\nset firewall family inet6 filter term 1 then syslog <<< Must be enabled for all discarding terms\nset firewall family inet6 filter term 1 then discard\n\nset syslog host any info\nset system syslog file messages any info"},{"id":"6a7eb8a0-33cf-4277-9a94-10257702e1a5","vulnId":"V-253998","severity":"low","ruleTitle":"The Juniper router must be configured to log all packets that have been dropped.","description":"Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.","checkContent":"Review the router interface firewall filters to verify all deny statements are logged. At a minimum, all discarding filter terms must have the \"syslog\" action enabled.\n\nVerify all discarding firewall filter terms are configured with (minimally) the \"syslog\" action:\n[edit firewall]\nfamily inet {\n filter {\n term {\n from {\n ;\n }\n then {\n log;\n syslog; <<< Must be enabled for local and external syslog.\n discard;\n }\n }\n }\n}\nfamily inet6 {\n filter {\n term {\n from {\n ;\n }\n then {\n log;\n syslog; <<< Must be enabled for local and external syslog.\n discard;\n }\n }\n }\n}\n\nIf packets being dropped are not logged, this is a finding.","fixText":"Configure interface firewall filters to log all deny statements.\n\nAll discarding firewall filter terms:\n\nset firewall family inet filter term then log\nset firewall family inet filter term then syslog <<< Minimally must be configured for all discarding filter terms.\nset firewall family inet filter term then discard\n\n\nset firewall family inet6 filter term then log\nset firewall family inet6 filter term then syslog <<< Minimally must be configured for all discarding filter terms.\nset firewall family inet6 filter term then discard"},{"id":"ed7ea8fe-facf-4215-9214-9148f4914dfa","vulnId":"V-253999","severity":"low","ruleTitle":"The Juniper router must be configured to have all nonessential capabilities disabled.","description":"A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.","checkContent":"Review the router configuration to determine if services or functions not required for operation, or not related to router functionality (e.g., DNS, email client or server, FTP server, or web server) are enabled.\nBy default, unnecessary services like finger, telnet, TFTP and FTP are not enabled and will not be listed at [edit system services].\n\nFor example, the following services should NOT be enabled as shown:\n[edit system services]\nfinger;\nftp;\nrlogin;\ntelnet;\ntftp-server;\nweb-management;\nNote: If the services listed above are marked \"inactive\", they are not enabled. \n\nIf unnecessary services and functions are enabled on the router, this is a finding.","fixText":"Remove unneeded services and functions from the router. For example:\n\ndelete system services finger\ndelete system services ftp\ndelete system services rlogin\ndelete system services telnet\ndelete system services tftp-server\ndelete system services web-management\n\nFor processes that support disable:\nset system processes web-management disable\n\nRemoval is recommended because the service or function may be inadvertently enabled otherwise.\n\nHowever, if removal is not possible, disable the service or function."},{"id":"78091cd1-001b-4775-b12f-673b057cec40","vulnId":"V-254000","severity":"medium","ruleTitle":"The Juniper router must not be configured to have any feature enabled that calls home to the vendor.","description":"Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.","checkContent":"Verify the call home service is disabled on the device.\n\nVerify [edit system] does NOT contain a phone-home hierarchy as shown:\n\n[edit system]\nhost-name ;\n:\n\n:\nphone-home {\n server https://;\n rfc-compliant;\n}\n\nIf a call home service is enabled, this is a finding.","fixText":"Configure the network device to disable the call home service or feature.\n\nDelete the phone-home hierarchy under [edit system].\n\ndelete system phone-home\nNote: Because the command is hidden, Junos will not autocomplete and \"phone-home\" must be explicitly, and correctly, spelled out."},{"id":"b2d3206e-ce00-4db3-b22a-3b3d3eb082f4","vulnId":"V-254001","severity":"medium","ruleTitle":"The Juniper router must be configured to use encryption for routing protocol authentication.","description":"A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a \"traffic attraction attack\" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack.\n\nThis requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols.","checkContent":"$3f","fixText":"$40"},{"id":"d952764f-3ea4-4d6a-8bee-b336ff89f68f","vulnId":"V-254002","severity":"medium","ruleTitle":"The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.","description":"$41","checkContent":"Verify routing protocol authentication is enabled using a FIPS 198-1 validated hashed message authentication code (HMAC).\n\nFor protocols supporting IPsec SA:\n[edit security ipsec]\nsecurity-association {\n\n\nNOTE: Versions of Junos not supporting RFC5709 must be configured to use MD5 authentication, but this is still a CAT III finding since MD5 is not compliant.\nFor protocols not supporting IPsec SA (OSPFv2 example shown)\n[edit protocols ospf]\narea {\n interface {\n authentication {\n key “”;\n }\n }\n}\n\n\nIf a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocols, this is a finding.\nRouting protocols using authentication with non-NIST-validated FIPS 198-1 algorithms may be downgraded to CAT III.","fixText":"$42"},{"id":"615d4777-6a73-4bd1-adc0-fb0200253aeb","vulnId":"V-254003","severity":"medium","ruleTitle":"The Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.","description":"$43","checkContent":"Review the PE router configuration to determine if a MAC address limit has been set for each bridge domain.\n\nVerify the MAC address limit is globally defined for the VPLS protocol or at each interface assigned to the routing instance.\n\n[edit routing-instance]\n {\n protocols {\n vpls {\n interface-mac-limit {\n ;\n }\n interface . {\n interface-mac-limit {\n ;\n }\n }\n }\n }\n}\n\nNote: Only EX9200-series devices currently support VPLS.\n\nIf a limit has not been configured, this is a finding.","fixText":"Configure a MAC address learning limit for each VPLS bridge domain.\n\nset routing-instance protocols vpls interface-mac-limit \nset routing-instance protocols vpls interface . interface-mac-limit "},{"id":"beb02fca-caae-43ed-8222-5b9d9d6c971e","vulnId":"V-254004","severity":"low","ruleTitle":"The Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.","description":"$44","checkContent":"$45","fixText":"Configure RSVP-TE enabled routers with refresh reduction features.\n\nJunos earlier than 15.2:\nset protocols rsvp interface . aggregate\nset protocols rsvp interface . reliable\n\nJunos 15.2 but pre 16.1R1:\nset protocols rsvp interface . reliable\n\nJunos 16.1R1 and later:\nset protocols rsvp interface . "},{"id":"cd2b1b3d-57a1-4abc-b167-d9e560cb1940","vulnId":"V-254005","severity":"medium","ruleTitle":"The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.","description":"A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.","checkContent":"$46","fixText":"$47"},{"id":"dd302b26-25f5-4ce1-915a-d7629480a21e","vulnId":"V-254006","severity":"medium","ruleTitle":"The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.","description":"$48","checkContent":"$49","fixText":"$4a"},{"id":"179169bb-5593-4e29-b372-54cfb50f4029","vulnId":"V-254007","severity":"low","ruleTitle":"The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.","description":"$4b","checkContent":"$4c","fixText":"$4d"},{"id":"a125a0bc-45e7-4bf1-b2d0-be86ac402b1f","vulnId":"V-254008","severity":"low","ruleTitle":"The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS GIG Technical Profile.","description":"$4e","checkContent":"$4f","fixText":"$50"},{"id":"f4e62fb3-8e06-4d5a-95f0-1c98bda7e706","vulnId":"V-254009","severity":"high","ruleTitle":"The Juniper perimeter router must be configured to deny network traffic by default and allow network traffic by exception.","description":"A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed.\n\nThis requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic must be denied by default. Firewalls and perimeter routers should only allow traffic through that is explicitly permitted. The initial defense for the internal network is to block any traffic at the perimeter that is attempting to make a connection to a host residing on the internal network. In addition, allowing unknown or undesirable outbound traffic by the firewall or router will establish a state that will permit the return of this undesirable traffic inbound.","checkContent":"$51","fixText":"$52"},{"id":"2f996070-f423-4282-a934-b10f4b4bfccf","vulnId":"V-254010","severity":"high","ruleTitle":"The Juniper router must be configured to restrict traffic destined to itself.","description":"The routing engine (RE) handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the RE can result in mission critical network outages.","checkContent":"$53","fixText":"$54"},{"id":"1cdcd0eb-6c24-400e-8912-dddac2b4976b","vulnId":"V-254011","severity":"medium","ruleTitle":"The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.","description":"Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.","checkContent":"$55","fixText":"Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.\n\nset policy-options prefix-list router-addresses-ipv4 /32\nset firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4\nset firewall family inet filter protect_re term 1 from protocol icmp\nset firewall family inet filter protect_re term 1 from is-fragment\nset firewall family inet filter protect_re term 1 then log\nset firewall family inet filter protect_re term 1 then syslog\nset firewall family inet filter protect_re term 1 then discard\n\n\nset interfaces lo0 unit 0 family inet filter input protect_re"},{"id":"933b88e2-832c-4794-bc13-f0b53946b836","vulnId":"V-254012","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.","description":"$56","checkContent":"$57","fixText":"$58"},{"id":"ec1199da-0c93-4bac-ac00-cc25ab5c5199","vulnId":"V-254013","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.","description":"Firewall filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of firewall filters for restricting access to services on the router itself as well as for filtering traffic passing through the router. \n\nInbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:\n\n- The router can protect itself before damage is inflicted.\n- The input port is still known and can be filtered upon.\n- It is more efficient to filter packets before routing them.","checkContent":"$59","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nBind the ingress firewall filter to the external interface (inbound).\n\nset interfaces unit family inet filter input inbound-ipv4\nset interfaces unit family inet6 filter input inbound-ipv6"},{"id":"7fe13405-c481-464a-a083-1197348702c6","vulnId":"V-254014","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.","description":"Firewall filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of firewall filters for restricting access to services on the router itself as well as for filtering traffic passing through the router. \n\nInbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons:\n\n- The router can protect itself before damage is inflicted.\n- The input port is still known and can be filtered upon.\n- It is more efficient to filter packets before routing them.","checkContent":"$5a","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nConfigure an egress firewall filter bound to the internal interface in an inbound direction to filter traffic leaving the network.\n\nset interfaces unit family inet filter input outbound-ipv4\nset interfaces unit family inet6 filter input outbound-ipv6"},{"id":"dc0a45e3-c99a-4e43-8324-6364acc70106","vulnId":"V-254015","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.","description":"Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.","checkContent":"$5b","fixText":"Configure all eBGP routers to filter outbound route advertisements belonging to the IP core.\n\nFor example:\nset policy-options prefix-list ip-core-ipv4 192.0.2.0/24\nset policy-options prefix-list ip-core-ipv6 2001:db8:2::/64\nset policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core from prefix-list ip-core-ipv4\nset policy-options policy-statement advertise-bgp-prefix term exclude-ipv4-core then reject\nset policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core from prefix-list ip-core-ipv6\nset policy-options policy-statement advertise-bgp-prefix term exclude-ipv6-core then reject\nset policy-options policy-statement advertise-bgp-prefix term default then accept\n\nset protocols bgp group eBGP type external\nset protocols bgp group eBGP export advertise-bgp-prefix\nset protocols bgp group eBGP neighbor 192.0.2.11 export advertise-bgp-prefix\nset protocols bgp export advertise-bgp-prefix"},{"id":"cc20e789-eef7-487b-acb3-9084aec93958","vulnId":"V-254016","severity":"high","ruleTitle":"The Juniper PE router must be configured to block any traffic that is destined to IP core infrastructure.","description":"IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial-of-service (DoS) attacks and intrusions as layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity.\n\nIP addresses can be guessed. Core network elements must not be accessible from any external host. Protecting the core from any attack is vital for the integrity and privacy of customer traffic as well as the availability of transit services. A compromise of the IP core can result in an outage or, at a minimum, nonoptimized forwarding of customer traffic. Protecting the core from an outside attack also prevents attackers from using the core to attack any customer. Hence, it is imperative that all routers at the edge deny traffic destined to any address belonging to the IP core infrastructure.","checkContent":"$5c","fixText":"$5d"},{"id":"4d02494f-1e37-4876-a1b0-abaf849e7e0f","vulnId":"V-254017","severity":"medium","ruleTitle":"The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.","description":"The uRPF feature, and ingress firewall filters, are defenses against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ingress packet is reachable. To mitigate attacks that rely on forged source addresses, all provider edge routers must enable uRPF or ingress firewall filters to guarantee that all packets received from a CE router contain source addresses that are in the route table.","checkContent":"$5e","fixText":"$5f"},{"id":"55e06e1e-56b4-4978-83e5-f89193058bf6","vulnId":"V-254018","severity":"medium","ruleTitle":"The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.","description":"Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the edge of the managed network and at the NOC. Dedicated links can be deployed using provisioned circuits or MPLS layer 2 and layer 3 VPN services or implementing a secured path with gateway-to-gateway IPsec tunnels. The tunnel mode ensures that the management traffic will be logically separated from any other traffic traversing the same path.","checkContent":"$60","fixText":"$61"},{"id":"f153e593-585e-44a5-9715-27bd3752b6ce","vulnId":"V-254019","severity":"medium","ruleTitle":"The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).","description":"The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.","checkContent":"$62","fixText":"$63"},{"id":"e1314369-d347-4334-ae96-94cce6683a3d","vulnId":"V-254020","severity":"medium","ruleTitle":"The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.","description":"If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway router.","checkContent":"$64","fixText":"$65"},{"id":"6bd5d17a-c136-4df6-8c14-7532661bb437","vulnId":"V-254021","severity":"medium","ruleTitle":"The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.","description":"The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.\n\nAn OOBM interface does not forward transit traffic, thereby providing complete separation of production and management traffic. Because all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM interface, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.","checkContent":"$66","fixText":"$67"},{"id":"47eef5d9-d87e-4547-a552-8faf75fb2caa","vulnId":"V-254022","severity":"high","ruleTitle":"The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).","description":"A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in \"botnets\", which are a collection of compromised computers using malware to attack other computers or networks. DDoS attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing.","checkContent":"$68","fixText":"$69"},{"id":"0e7282c7-ddf0-4599-831d-cd2484623ef8","vulnId":"V-254023","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to block all packets with any IP options.","description":"Packets with IP options are not fast switched and must be punted to the route engine (RE). Hackers who initiate denial-of-service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.","checkContent":"$6a","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nConfigure the router to drop all packets with IP options.\n\nset firewall family inet filter term 1 from ip-options any\nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog\nset firewall family inet filter term 1 then discard\n\nset firewall family inet filter default term 1 then log\nset firewall family inet filter default term 1 then syslog\nset firewall family inet filter default term 1 then discard\n\nset interfaces unit family inet filter input \nset interfaces unit family inet address /"},{"id":"6e9eadde-77c8-4040-87c7-dd85b5311b81","vulnId":"V-254024","severity":"medium","ruleTitle":"The Juniper PE router must be configured to ignore or block all packets with any IP options.","description":"Packets with IP options are not fast switched and, therefore, must be punted to the route engine (RE). Hackers who initiate denial-of-service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.","checkContent":"$6b","fixText":"Configure the router to drop all packets with IP options.\n\nset firewall family inet filter term 1 from ip-options any\nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog\nset firewall family inet filter term 1 then discard\n\nset firewall family inet filter default term 1 then log\nset firewall family inet filter default term 1 then syslog\nset firewall family inet filter default term 1 then discard\n\nset interfaces unit family inet filter input \nset interfaces unit family inet address /"},{"id":"f7b6e2d2-1a89-4d70-b4ad-47d56982001a","vulnId":"V-254025","severity":"medium","ruleTitle":"The Juniper router must be configured to implement message authentication for all control plane protocols.","description":"A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a \"traffic attraction attack\" and is prevented by configuring neighbor router authentication for routing updates.\n\nThis requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols.","checkContent":"$6c","fixText":"$6d"},{"id":"62525890-c132-40e6-9c1a-4d646cd009b4","vulnId":"V-254026","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.","description":"If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.","checkContent":"$6e","fixText":"Configure all eBGP routers with unique keys for each eBGP neighbor that it peers with.\n\nset security ipsec security-association manual direction bidirectional protocol esp\nset security ipsec security-association manual direction bidirectional spi \nset security ipsec security-association manual direction bidirectional authentication algorithm hmac-sha-256-128\nset security ipsec security-association manual direction bidirectional authentication key ascii-text \n\nset protocols bgp group type external\nset protocols bgp group local-as \nset protocols bgp group neighbor authentication-key \nset protocols bgp group neighbor ipsec-sa test"},{"id":"46c19da9-3f19-4f09-8fd4-8287f399c6ee","vulnId":"V-254027","severity":"medium","ruleTitle":"The Juniper router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.","description":"If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed.\n\nKeys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.","checkContent":"$6f","fixText":"$70"},{"id":"c1da5c03-00e5-49da-937d-052d12cdbfa3","vulnId":"V-254028","severity":"medium","ruleTitle":"The router providing MPLS L2VPN services must be configured to authenticate targeted LDP sessions used to exchange VC information using a FIPS-approved message authentication code algorithm.","description":"Label Distribution Protocol (LDP) provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.","checkContent":"Review the router configuration to determine if LDP messages are being authenticated for the targeted LDP sessions.\n\n[edit protocols]\nldp {\n interface .;\n interface .;\n session {\n authentication-algorithm ;\n authentication-key-chain ;\n }\n}\n\nIf authentication is not being used for the LDP sessions using a FIPS-approved message authentication code algorithm, this is a finding.","fixText":"Implement authentication for all targeted LDP sessions using a FIPS-approved message authentication code algorithm.\n\nset protocols ldp interface .\nset protocols ldp interface .\nset protocols ldp session authentication-algorithm \nset protocols ldp session authentication-key-chain "},{"id":"54aff5a2-92ba-4115-8a0a-508af6458625","vulnId":"V-254029","severity":"medium","ruleTitle":"The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.","description":"MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream.","checkContent":"Review the router configuration to determine if received MSDP packets are authenticated.\n\n[edit protocols]\nmsdp {\n active-source-limit {\n maximum <1..1000000>;\n threshold <1..1000000>;\n log-warning ;\n }\n \n peer

{\n authentication-key \"hashed PSK\"; ## SECRET-DATA\n }\n}\n\nIf the router does not require MSDP authentication, this is a finding.","fixText":"Ensure all MSDP packets received by an MSDP router are authenticated.\n\nset protocols msdp active-source-limit maximum <1..1000000>\nset protocols msdp active-source-limit threshold <1..1000000>\nset protocols msdp active-source-limit log-warning \n\nset protocols msdp peer

authentication-key "},{"id":"d3d6848e-1402-4de0-baa7-c648f157d47e","vulnId":"V-254030","severity":"medium","ruleTitle":"The Juniper router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.","description":"Network devices configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loading an image or configuration file from the network is taking a security risk because the file could be intercepted by an attacker who could corrupt the file, resulting in a denial of service.","checkContent":"$71","fixText":"Disable all configuration auto-loading or zero-touch deployment features.\n\ndelete system auto-configuration\ndelete system phone-home\nNote: The \"phone-home\" command is hidden and must be fully typed into the CLI (autocomplete will not work).\n\nConfigure the router with a nondefault configuration and commit."},{"id":"0a399c34-62d5-4409-929f-128100187ef6","vulnId":"V-254031","severity":"medium","ruleTitle":"The Juniper router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.","description":"$72","checkContent":"$73","fixText":"$74"},{"id":"967d5b87-21ca-4cf8-9b66-22e058dcb281","vulnId":"V-254032","severity":"medium","ruleTitle":"The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces.","description":"A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.","checkContent":"Review the configuration to determine if gratuitous ARP is disabled on all external interfaces.\n[edit interfaces]\n {\n no-gratuitous-arp-reply;\n no-gratuitous-arp-request;\n unit {\n family inet {\n address /;\n }\n family inet6 {\n address /;\n }\n }\n}\n\nIf gratuitous ARP is enabled on any external interface, this is a finding.","fixText":"Disable gratuitous ARP on all external interfaces.\n\nset interfaces no-gratuitous-arp-reply\nset interfaces no-gratuitous-arp-request\nset interfaces unit family inet address /\nset interfaces unit family inet6 address /"},{"id":"230d5047-b97e-4a93-b2e3-5839dd960480","vulnId":"V-254033","severity":"low","ruleTitle":"The Juniper router must be configured to have IP directed broadcast disabled on all interfaces.","description":"$75","checkContent":"Review the router configuration to determine if IP directed broadcast is enabled.\n\nBy default, IP directed broadcast is disabled on all L3 interfaces, including Integrated Routing and Bridging (IRB) interfaces. Verify \"targeted-broadcast\" is not enabled as shown.\n\n[edit interfaces]\n {\n unit {\n family inet {\n targeted-broadcast; << Must not be present.\n address /;\n }\n }\n}\nirb {\n unit {\n family inet {\n targeted-broadcast; << Must not be present.\n address /;\n }\n }\n}\n\nIf IP directed broadcast is enabled on layer 3 interfaces, this is a finding.","fixText":"Disable IP directed broadcasts on all layer 3 interfaces.\n\ndelete interfaces unit family inet targeted-broadcast\ndelete interfaces irb unit family inet targeted-broadcast"},{"id":"d0674ac5-0d9f-4aef-8828-945b7c7e45de","vulnId":"V-254034","severity":"medium","ruleTitle":"The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.","description":"The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.","checkContent":"$76","fixText":"Disable ICMP unreachable notifications on all external interfaces.\n\nset policy-options prefix-list router-addresses-ipv4 /32\nset policy-options prefix-list router-addresses-ipv4 /\n\nset firewall family inet filter term 1 from source-prefix-list router-address-ipv4\nset firewall family inet filter term 1 from protocol icmp\nset firewall family inet filter term 1 from icmp-type unreachable\nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog\nset firewall family inet filter term 1 then discard\n\nset firewall family inet filter term default then log\nset firewall family inet filter term default then syslog\nset firewall family inet filter term default then discard\n\nset interfaces unit family inet filter output \nset interfaces unit family inet address ."},{"id":"fe81dce0-c8c1-4ea5-9a31-79608c25bde8","vulnId":"V-254035","severity":"medium","ruleTitle":"The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.","description":"The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.","checkContent":"$77","fixText":"Disable ICMP mask replies on all external interfaces.\n\nset policy-options prefix-list router-addresses-ipv4 /32\nset policy-options prefix-list router-addresses-ipv4 /\n\nset firewall family inet filter term 1 from source-prefix-list router-address-ipv4\nset firewall family inet filter term 1 from protocol icmp\nset firewall family inet filter term 1 from icmp-type mask-reply\nset firewall family inet filter term 1 then log\nset firewall family inet filter term 1 then syslog\nset firewall family inet filter term 1 then discard\n\nset firewall family inet filter term default then log\nset firewall family inet filter term default then syslog\nset firewall family inet filter term default then discard\n\nset interfaces unit family inet filter output \nset interfaces unit family inet address ."},{"id":"d1f5ea39-5904-45e4-a879-fa867191f95d","vulnId":"V-254036","severity":"medium","ruleTitle":"The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.","description":"The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.","checkContent":"Review the device configuration to determine if controls have been defined to ensure the router does not send ICMP Redirect messages out to any external interfaces.\n\nVerify the global \"no-redirects\" statement is enabled under [edit system] or that individual interface \"no-redirects\" statements are configured on external interfaces.\n[edit system]\nno-redirects;\n[edit interfaces]\n {\n unit {\n family inet {\n no-redirects;\n address .;\n }\n family inet6 {\n no-redirects;\n address .;\n }\n }\n}\n\nIf ICMP Redirect messages are enabled on any external interfaces, this is a finding.","fixText":"Disable ICMP redirects on all external interfaces.\n\nset system no-redirects\n\nset interfaces unit family inet no-redirects\nset interfaces unit family inet6 no-redirects"},{"id":"a21873de-1124-406c-9704-e838fa253bd9","vulnId":"V-254037","severity":"medium","ruleTitle":"The Juniper BGP router must be configured to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.","description":"$78","checkContent":"$79","fixText":"$7a"},{"id":"dccc2d15-a073-45d3-a31e-00c11ecb0f87","vulnId":"V-254038","severity":"low","ruleTitle":"The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.","description":"The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.","checkContent":"$7b","fixText":"Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.\n\nset policy-options policy-statement term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32\nset policy-options policy-statement term 1 then reject\n\nset protocols bgp group type external\nset protocols bgp group import \nset protocols bgp group local-as \nset protocols bgp group neighbor import \nset protocols bgp group neighbor authentication-key \nset protocols bgp group neighbor import \nset protocols bgp group neighbor ipsec-sa \nset protocols bgp import "},{"id":"7d8f9801-ebf4-4cf2-8303-3a4946fa2269","vulnId":"V-254039","severity":"low","ruleTitle":"The Juniper PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.","description":"IGMP snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.","checkContent":"Review the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain (VFI instance).\n\n[edit routing-instances ]\nprotocols {\n igmp-snooping {\n vlan ;\n }\n mld-snooping {\n vlan ;\n }\n}\n\nNote: Only EX9200-series devices currently support VPLS.\n\nIf the router is not configured to implement IGMP or MLD snooping for each VPLS bridge domain, this is a finding.","fixText":"Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain.\n\nset routing-instances protocols igmp-snooping vlan \nset routing-instances protocols mld-snooping vlan "},{"id":"d7264cd6-87bf-419a-b558-b3e6d95b9ea1","vulnId":"V-254040","severity":"low","ruleTitle":"The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.","description":"MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.","checkContent":"Review the router configuration to determine if forwarding cache thresholds are defined.\n\n[edit routing-options]\nmulticast {\n forwarding-cache {\n threshold {\n suppress <1..200000>;\n reuse <1..200000>;\n log-warning ;\n }\n }\n}\n\nIf the RP router is not configured to limit the multicast forwarding cache to ensure that its resources are not saturated, this is a finding.","fixText":"Configure MSDP-enabled RP routers to limit the multicast forwarding cache for source-active entries.\n\nset routing-options multicast forwarding-cache threshold suppress <1..200000>\nset routing-options multicast forwarding-cache threshold reuse <1..200000>\nset routing-options multicast forwarding-cache threshold log-warning "},{"id":"3b31d120-88e0-4821-88da-246658440939","vulnId":"V-254041","severity":"medium","ruleTitle":"The Juniper multicast Rendezvous Point (RP) must be configured to rate limit the number of Protocol Independent Multicast (PIM) Register messages.","description":"When a new source starts transmitting in a PIM Sparse Mode network, the DR will encapsulate the multicast packets into register messages and forward them to the RP using unicast. This process can be taxing on the CPU for both the DR and the RP if the source is running at a high data rate and there are many new sources starting at the same time. This scenario can potentially occur immediately after a network failover. The rate limit for the number of register messages should be set to a relatively low value based on the known number of multicast sources within the multicast domain.","checkContent":"Review the configuration of the RP to verify that it is rate limiting the number of multicast register messages.\n\n[edit protocols pim]\nrp {\n register-limit {\n maximum <1..65535>;\n }\n \n}\n\nIf the RP is not limiting multicast register messages, this is a finding.","fixText":"Configure the RP to rate limit the number of multicast register messages.\n\nset protocols pim rp register-limit maximum <1..65535>"},{"id":"645ae73f-3958-4f23-af2f-0f93b9b299e6","vulnId":"V-254042","severity":"medium","ruleTitle":"The Juniper multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.","description":"The current multicast paradigm can let any host join any multicast group at any time by sending an IGMP or MLD membership report to the DR. In a Protocol Independent Multicast (PIM) Sparse Mode network, the DR will send a PIM Join message for the group to the RP. Without any form of admission control, this can pose a security risk to the entire multicast domain - specifically the multicast routers along the shared tree from the DR to the RP that must maintain the mroute state information for each group join request. Hence, it is imperative that the DR is configured to limit the number of mroute state information that must be maintained to mitigate the risk of IGMP or MLD flooding.","checkContent":"Review the DR configuration to verify that it is limiting the number of mroute states via IGMP or MLD. Verify the group-limit parameter is appropriate for the target network.\n\n[edit protocols]\nigmp {\n interface . {\n group-limit <1..32767>;\n }\n}\nmld {\n interface . {\n group-limit <1..32767>;\n }\n}\n\nIf the DR is not limiting multicast join requests via IGMP or MLD, this is a finding.","fixText":"Configure the DR on a global or interface basis to limit the number of mroute states resulting from IGMP or MLD membership reports.\n\nset protocols igmp interface . group-limit <1..32767>\nset protocols mld interface . group-limit <1..32767>"},{"id":"495d6715-25af-422d-aeb6-90489fcc95ec","vulnId":"V-254043","severity":"medium","ruleTitle":"The Juniper multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.","description":"ASM can have many sources for the same groups (many-to-many). For many receivers, the path via the RP may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific SPT to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) Protocol Independent Multicast (PIM) Join toward S (the source).\n\nWhen the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.","checkContent":"Review the multicast last-hop router configuration to verify that the SPT switchover threshold is increased (default is \"0\") or set to infinity (never switch over). \n\nVerify the policy statement includes specific multicast groups or all groups (as shown).\n[edit policy-options]\npolicy-statement {\n term 1 {\n from {\n route-filter 234.0.0.0/8 orlonger;\n }\n then accept;\n }\n}\n\nVerify the infinity policy is applied.\n[edit protocols pim]\nspt-threshold {\n infinity ;\n}\n\nIf any multicast router is not configured to increase the SPT threshold or set to infinity to minimalize (S, G) state, this is a finding.","fixText":"Configure the multicast router to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed.\n\nset policy-options policy-statement term 1 from route-filter 239.0.0.0/8 orlonger\nset policy-options policy-statement term 1 then accept\n\nset protocols pim spt-threshold infinity "},{"id":"f23cdec7-7293-4154-a34e-daf1330e0505","vulnId":"V-254044","severity":"low","ruleTitle":"The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).","description":"GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. \n\nGTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.","checkContent":"$7c","fixText":"$7d"},{"id":"621737b3-239e-4af6-a663-a42f3f09b490","vulnId":"V-254045","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.","description":"$7e","checkContent":"$7f","fixText":"$80"},{"id":"8fae4bb0-1e0f-492f-a919-980a5537ed24","vulnId":"V-254046","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.","description":"Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public internet use. Bogons also include multicast, IETF reserved, and special purpose address space as defined in RFC 6890.\n\nSecurity of the internet's routing system relies on the ability to authenticate an assertion of unique control of an address block. Measures to authenticate such assertions rely on the validation the address block forms as part of an existing allocated address block, and must be a trustable and unique reference in the IANA address registries. The intended use of a Bogon address would only be for the purpose of address spoofing in denial-of-service attacks. Hence, it is imperative that IP packets with a source Bogon address are blocked at the network’s perimeter.","checkContent":"$81","fixText":"$82"},{"id":"b651b7b5-0dc2-41e0-ac61-cb56badc3276","vulnId":"V-254047","severity":"low","ruleTitle":"The Juniper perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.","description":"LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows network management applications to learn the device type and the SNMP agent address of neighboring devices, thereby enabling the application to send SNMP queries to those devices. LLDPs are also media- and protocol-independent as they run over the data link layer; therefore, two systems that support different network-layer protocols can still learn about each other. Allowing LLDP messages to reach external network nodes is dangerous as it provides an attacker a method to obtain information of the network infrastructure that can be useful to plan an attack.","checkContent":"$83","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nDisable LLDPs on all external interfaces.\n\nset protocols lldp interface all disable\nset protocols lldp interface \nset protocols lldp interface disable\n\nset protocols lldp-med interface all disable\nset protocols lldp-med interface \nset protocols lldp-med interface disable\n\nNote: The disable command is not required if LLDP and LLDP-MED are globally disabled. However, the configured protocol status may be more apparent if each exterior interface is explicitly disabled."},{"id":"9e56d875-eb7f-4951-b8e6-a8cbc34faab3","vulnId":"V-254048","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.","description":"When Proxy ARP is enabled on a router, it allows that router to extend the network (at layer 2) across multiple interfaces (LAN segments). Because proxy ARP allows hosts from different LAN segments to look like they are on the same segment, proxy ARP is only safe when used between trusted LAN segments. Attackers can leverage the trusting nature of proxy ARP by spoofing a trusted host and then intercepting packets. Proxy ARP should always be disabled on router interfaces that do not require it, unless the router is being used as a LAN bridge.","checkContent":"This requirement is not applicable for the DODIN Backbone.\n\nReview the router configuration to determine if Proxy ARP is disabled on all external interfaces. By default, Proxy ARP is disabled on all interfaces. Verify \"proxy-arp\" has not been enabled on external interfaces as shown in the example:\n\n[edit interfaces]\n {\n unit 0 {\n proxy-arp [restricted|unrestricted]; << Must not be configured on external interfaces.\n \n }\n}\n\nIf Proxy ARP is enabled on any external interface, this is a finding.","fixText":"This requirement is not applicable for the DODIN Backbone.\n\nDisable IP Proxy ARP on all external interfaces.\n\ndelete interfaces unit 0 proxy-arp"},{"id":"09e7bb0b-514f-401d-a4ab-bb55c876098f","vulnId":"V-254049","severity":"medium","ruleTitle":"The Juniper perimeter router must be configured to block all outbound management traffic.","description":"For in-band management, the management network must have its own subnet to enforce control and access boundaries provided by layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.","checkContent":"$84","fixText":"$85"},{"id":"6350e298-db81-407a-9e3e-568199bc24b9","vulnId":"V-254050","severity":"low","ruleTitle":"The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join only multicast groups that have been approved by the organization.","description":"Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone downloading a file here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.","checkContent":"$86","fixText":"Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups that have been approved.\n\nset policy-options policy-statement term unauth-groups from route-filter 224.0.1.2/32 exact\nset policy-options policy-statement term unauth-groups from route-filter 224.0.2.2/32 exact\nset policy-options policy-statement term unauth-groups then reject\nset policy-options policy-statement term accept-others then accept\n\nset policy-options policy-statement term unauth-groups from route-filter fec0:1:1:4::/64 exact\nset policy-options policy-statement term unauth-groups then reject\nset policy-options policy-statement term accept-others then accept\n\nset protocols igmp interface . group-policy \nset protocols mld interface . group-policy "},{"id":"89922ef9-e27d-4eb5-b88b-503d694872ce","vulnId":"V-254051","severity":"medium","ruleTitle":"The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.","description":"Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone downloading a file here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.","checkContent":"Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to only join multicast groups from sources that have been approved.\n\nNote: This requirement is only applicable to Source Specific Multicast (SSM) implementation.\n\n[edit policy-options]\npolicy-statement {\n term unauth-sources {\n from {\n source-address-filter / orlonger;\n }\n then reject;\n }\n term allow-others {\n then accept;\n }\n}\npolicy-statement

Juniper EX Series Switches Router Security Technical Implementation Guide

Checks (102)