Skip to content
Log In

Juniper EX Series Switches Router Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DODIN Technical Profile.

    Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network re...
    Rule Low Severity
    Show

  • SRG-NET-000193-RTR-000114

    Group
    Show

  • SRG-NET-000202-RTR-000001

    Group
    Show

  • SRG-NET-000205-RTR-000001

    Group
    Show

  • The Juniper router must be configured to restrict traffic destined to itself.

    The routing engine (RE) handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption...
    Rule High Severity
    Show

  • SRG-NET-000205-RTR-000002

    Group
    Show

  • The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

    Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000003

    Group
    Show

  • SRG-NET-000205-RTR-000004

    Group
    Show

  • The Juniper perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.

    Firewall filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of ...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000005

    Group
    Show

  • The Juniper perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.

    Firewall filters are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of ...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000008

    Group
    Show

  • The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces.

    The uRPF feature, and ingress firewall filters, are defenses against spoofing and denial-of-service (DoS) attacks by verifying if the source address of any ingress packet is reachable. To mitigate ...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000009

    Group
    Show

  • The Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.

    Using dedicated paths, the OOBM backbone connects the OOBM gateway routers located at the edge of the managed network and at the NOC. Dedicated links can be deployed using provisioned circuits or M...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000010

    Group
    Show

  • The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

    The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each ...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000011

    Group
    Show

  • The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

    If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that h...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000012

    Group
    Show

  • SRG-NET-000205-RTR-000014

    Group
    Show

  • The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).

    A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers...
    Rule High Severity
    Show

  • SRG-NET-000205-RTR-000015

    Group
    Show

  • The Juniper perimeter router must be configured to block all packets with any IP options.

    Packets with IP options are not fast switched and must be punted to the route engine (RE). Hackers who initiate denial-of-service (DoS) attacks on routers commonly send large streams of packets wit...
    Rule Medium Severity
    Show

  • SRG-NET-000205-RTR-000016

    Group
    Show

  • The Juniper PE router must be configured to ignore or block all packets with any IP options.

    Packets with IP options are not fast switched and, therefore, must be punted to the route engine (RE). Hackers who initiate denial-of-service (DoS) attacks on routers commonly send large streams of...
    Rule Medium Severity
    Show

  • SRG-NET-000230-RTR-000001

    Group
    Show

  • The Juniper router must be configured to implement message authentication for all control plane protocols.

    A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...
    Rule Medium Severity
    Show

  • SRG-NET-000230-RTR-000002

    Group
    Show

  • SRG-NET-000230-RTR-000003

    Group
    Show

  • SRG-NET-000343-RTR-000001

    Group
    Show

  • The router providing MPLS L2VPN services must be configured to authenticate targeted LDP sessions used to exchange VC information using a FIPS-approved message authentication code algorithm.

    Label Distribution Protocol (LDP) provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport layer 2 frames) across an MPLS IP core network. Usi...
    Rule Medium Severity
    Show

  • SRG-NET-000343-RTR-000002

    Group
    Show

  • The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.

    MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each se...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000109

    Group
    Show

  • The Juniper router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.

    Network devices configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (rcp). Loa...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000110

    Group
    Show

  • SRG-NET-000362-RTR-000111

    Group
    Show

  • The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces.

    A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can c...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000112

    Group
    Show

  • SRG-NET-000362-RTR-000113

    Group
    Show

  • The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.

    The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP ...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000114

    Group
    Show

  • The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.

    The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messag...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000115

    Group
    Show

  • SRG-NET-000362-RTR-000117

    Group
    Show

  • SRG-NET-000362-RTR-000118

    Group
    Show

  • The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

    The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured ...
    Rule Low Severity
    Show

  • SRG-NET-000362-RTR-000119

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules