Juniper EX Series Switches Router Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000018-RTR-000003
Group -
The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
Accepting route advertisements belonging to the local AS can result in traffic looping, being black holed, or at a minimum using a nonoptimized path.Rule Medium Severity -
SRG-NET-000018-RTR-000004
Group -
SRG-NET-000018-RTR-000005
Group -
The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
Advertisement of routes by an AS for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that al...Rule Medium Severity -
SRG-NET-000018-RTR-000006
Group -
SRG-NET-000018-RTR-000007
Group -
The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduc...Rule Medium Severity -
SRG-NET-000019-RTR-000003
Group -
SRG-NET-000019-RTR-000009
Group -
SRG-NET-000018-RTR-000008
Group -
The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with privat...Rule Low Severity -
SRG-NET-000018-RTR-000009
Group -
The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.Rule Low Severity -
SRG-NET-000018-RTR-000010
Group -
SRG-NET-000019-RTR-000001
Group -
The Juniper router must be configured to disable the auxiliary port unless it is connected to a secured modem providing encryption and authentication.
The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. Addit...Rule Low Severity -
SRG-NET-000019-RTR-000002
Group -
SRG-NET-000019-RTR-000004
Group -
The Juniper router must be configured to bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled.
PIM is a routing protocol used to build multicast distribution trees for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by c...Rule Medium Severity -
SRG-NET-000019-RTR-000005
Group -
The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are loc...Rule Low Severity -
SRG-NET-000019-RTR-000007
Group -
The Juniper router must be configured to have all inactive interfaces disabled.
An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could ga...Rule Low Severity -
SRG-NET-000019-RTR-000008
Group -
The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
Enclaves with alternate gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic comin...Rule High Severity -
SRG-NET-000019-RTR-000010
Group -
SRG-NET-000019-RTR-000011
Group -
The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network.
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the mana...Rule Medium Severity -
SRG-NET-000019-RTR-000012
Group -
SRG-NET-000019-RTR-000013
Group -
The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial...Rule Low Severity -
SRG-NET-000019-RTR-000014
Group -
SRG-NET-000076-RTR-000001
Group -
The Juniper router must be configured to produce audit records containing information to establish where the events occurred.
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. To compile an accurate risk assessment and provi...Rule Medium Severity -
SRG-NET-000077-RTR-000001
Group -
SRG-NET-000078-RTR-000001
Group -
The Juniper router must be configured to log all packets that have been dropped.
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate ...Rule Low Severity -
SRG-NET-000131-RTR-000035
Group -
The Juniper router must be configured to have all nonessential capabilities disabled.
A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attack...Rule Low Severity -
SRG-NET-000131-RTR-000083
Group -
SRG-NET-000168-RTR-000078
Group -
The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
SRG-NET-000192-RTR-000002
Group -
The Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.
VPLS defines an architecture that delivers Ethernet multipoint services over an MPLS network. Customer layer 2 frames are forwarded across the MPLS core via pseudowires using IEEE 802.1q Ethernet b...Rule Medium Severity -
SRG-NET-000193-RTR-000001
Group -
The Juniper MPLS router with RSVP-TE enabled must be configured to enable refresh reduction features.
RSVP-TE can be used to perform constraint-based routing when building LSP tunnels within the network core that will support QoS and traffic engineering requirements. RSVP-TE is also used to enable ...Rule Low Severity -
SRG-NET-000193-RTR-000002
Group -
SRG-NET-000193-RTR-000112
Group -
SRG-NET-000193-RTR-000113
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.