The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
An XCCDF Rule
Description
<VulnDiscussion>DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). A Junos OS classifier identifies and separates traffic flows and provides the means to prioritize traffic later in the class-of-service (CoS) process. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NE). A behavior aggregate (BA) classifier performs this function by associating discriminating values with forwarding classes and loss priorities. Unless overridden, Junos OS applies the default CoS to all interfaces. Junos OS provides multiple predefined BA classifier types, which the site can combine and supplement with custom CoS configuration as needed to achieve overall traffic classification goals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253951r1028750_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Configure and enable a CoS policy using the commands in the example stanza below.
2. Replace the variables in the example commands with meaningful, site-specific names, rates, and values that are appropriate for the target environment. Operational test the settings.
3. Configure queues for each type of traffic based on the priorities established in the site's SSP.
Note: The following example configured DSCP. However, other BA classifier types may also be configured to implement the site's QoS requirements. Refer to the vendor documentation.