Skip to content
Log In

Juniper EX Series Switches Router Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The Juniper PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.

    IGMP snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up layer 2...
    Rule Low Severity
    Show

  • SRG-NET-000362-RTR-000120

    Group
    Show

  • The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.

    MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As...
    Rule Low Severity
    Show

  • SRG-NET-000362-RTR-000121

    Group
    Show

  • SRG-NET-000362-RTR-000122

    Group
    Show

  • The Juniper multicast Designated Router (DR) must be configured to limit the number of mroute states resulting from Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Host Membership Reports.

    The current multicast paradigm can let any host join any multicast group at any time by sending an IGMP or MLD membership report to the DR. In a Protocol Independent Multicast (PIM) Sparse Mode net...
    Rule Medium Severity
    Show

  • SRG-NET-000362-RTR-000123

    Group
    Show

  • SRG-NET-000362-RTR-000124

    Group
    Show

  • The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

    GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border ...
    Rule Low Severity
    Show

  • SRG-NET-000364-RTR-000109

    Group
    Show

  • The Juniper perimeter router must be configured to block all outbound management traffic.

    For in-band management, the management network must have its own subnet to enforce control and access boundaries provided by layer 3 network nodes, such as routers and firewalls. Management traffic...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000114

    Group
    Show

  • SRG-NET-000364-RTR-000110

    Group
    Show

  • The Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.

    Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional In...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000111

    Group
    Show

  • The Juniper perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.

    LLDPs are primarily used to obtain protocol addresses of neighboring devices and discover platform capabilities of those devices. Use of SNMP with the LLDP Management Information Base (MIB) allows ...
    Rule Low Severity
    Show

  • SRG-NET-000364-RTR-000112

    Group
    Show

  • The Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.

    When Proxy ARP is enabled on a router, it allows that router to extend the network (at layer 2) across multiple interfaces (LAN segments). Because proxy ARP allows hosts from different LAN segments...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000113

    Group
    Show

  • SRG-NET-000364-RTR-000115

    Group
    Show

  • The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.

    Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone downloading a file here or there), whereas multicast can have broa...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000116

    Group
    Show

  • The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.

    MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traf...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000200

    Group
    Show

  • SRG-NET-000364-RTR-000201

    Group
    Show

  • The Juniper perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.

    The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000202

    Group
    Show

  • The Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.

    These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000204

    Group
    Show

  • The Juniper perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000205

    Group
    Show

  • The Juniper perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • SRG-NET-000364-RTR-000206

    Group
    Show

  • The Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.

    The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence coul...
    Rule Medium Severity
    Show

  • SRG-NET-000512-RTR-000001

    Group
    Show

  • SRG-NET-000512-RTR-000002

    Group
    Show

  • SRG-NET-000512-RTR-000003

    Group
    Show

  • SRG-NET-000512-RTR-000004

    Group
    Show

  • The Juniper MPLS router must be configured to have TTL Propagation disabled.

    The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each labe...
    Rule Medium Severity
    Show

  • SRG-NET-000512-RTR-000005

    Group
    Show

  • SRG-NET-000512-RTR-000006

    Group
    Show

  • The Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).

    The primary security model for an MPLS L3VPN as well as a VRF-lite infrastructure is traffic separation. Each interface can only be associated to one VRF, which is the fundamental framework for tra...
    Rule High Severity
    Show

  • SRG-NET-000512-RTR-000008

    Group
    Show

  • SRG-NET-000512-RTR-000009

    Group
    Show

  • The Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.

    VPLS defines an architecture that delivers Ethernet multipoint services over an MPLS network. Customer layer 2 frames are forwarded across the MPLS core via pseudowires using IEEE 802.1q Ethernet b...
    Rule High Severity
    Show

  • SRG-NET-000512-RTR-000010

    Group
    Show

  • SRG-NET-000512-RTR-000011

    Group
    Show

  • SRG-NET-000512-RTR-000012

    Group
    Show

  • The Juniper router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.

    The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small...
    Rule Low Severity
    Show

  • SRG-NET-000512-RTR-000013

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules