The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

An XCCDF Rule

Description

<VulnDiscussion>Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253984r843985_rule
Severity: Medium
References: CCI-001414
Updated: 17 days ago

Configure the router to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

set interfaces <interface name> unit <logical unit> family inet rpf-check
set interfaces <interface name> unit <logical unit> family inet filter input deny-prod-to-mgt
set interfaces <interface name> unit <logical unit> family inet6 rpf-check
set interfaces <interface name> unit <logical unit> family inet6 filter input deny-prod-to-mgt-v6
set firewall family inet filter deny-prod-to-mgt term 1 from source-address <production IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 1 from destination-address <MGT IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 1 then log
set firewall family inet filter deny-prod-to-mgt term 1 then syslog
set firewall family inet filter deny-prod-to-mgt term 1 then discard
set firewall family inet filter deny-prod-to-mgt term 2 from source-address <production IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 2 then accept

set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from source-address <production IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from destination-address <MGT IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then log
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then syslog
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then discard
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 from source-address <production IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 then accept

The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Description

Remediation - Manual Procedure