Juniper Router RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000019-RTR-000010
Group -
The Juniper perimeter router must be configured to not redistribute static routes to an alternate gateway service provider into BGP or an IGP peering with the NIPRNet or to other autonomous systems.
If the static routes to the alternate gateway are being redistributed into an Exterior Gateway Protocol or Interior Gateway Protocol to a NIPRNet gateway, this could make traffic on NIPRNet flow to...Rule Low Severity -
SRG-NET-000205-RTR-000014
Group -
SRG-NET-000205-RTR-000003
Group -
The Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.
Vulnerability assessments must be reviewed by the System Administrator, and protocols must be approved by the Information Assurance (IA) staff before entering the enclave. Access control lists (AC...Rule Medium Severity -
SRG-NET-000205-RTR-000004
Group -
The Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.
Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of acce...Rule Medium Severity -
SRG-NET-000205-RTR-000005
Group -
SRG-NET-000205-RTR-000015
Group -
SRG-NET-000364-RTR-000111
Group -
The Juniper perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.
LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows ...Rule Low Severity -
SRG-NET-000364-RTR-000112
Group -
The Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.
When Proxy ARP is enabled on a router, it allows that router to extend the network (at Layer 2) across multiple interfaces (LAN segments). Because proxy ARP allows hosts from different LAN segments...Rule Medium Severity -
SRG-NET-000364-RTR-000113
Group -
The Juniper perimeter router must be configured to block all outbound management traffic.
For in-band management, the management network must have its own subnet to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic...Rule Medium Severity -
SRG-NET-000205-RTR-000009
Group -
SRG-NET-000205-RTR-000010
Group -
The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).
The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each ...Rule Medium Severity -
SRG-NET-000019-RTR-000011
Group -
The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the mana...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.