The Juniper router must be configured to restrict traffic destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>The routing engine (RE) handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the RE can result in mission critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254010r997524_rule
Severity: High
References: CCI-001097 CCI-004866
Updated: 17 days ago

Configure all routers with receive path filters to restrict traffic destined to the router.

Example prefix lists for management networks and the device management address(es):
set prefix-list auth_mgt_networks-ipv4 <IPv4 subnet / mask>
set prefix-list auth_mgt_networks-ipv6 <IPv6 subnet / mask>
set prefix-list device_mgt_address-ipv4 <IPv4 address>/32set prefix-list device_mgt_address-ipv6 <IPv6 address>/128

Example firewall filters:
set firewall family inet filter protect_re-ipv4 term 1 from source-prefix-list auth_mgt_networks-ipv4
set firewall family inet filter protect_re-ipv4 term 1 from destination-prefix-list device_mgt_address-ipv4
set firewall family inet filter protect_re-ipv4 term 1 from <additional match criteria>
set firewall family inet filter protect_re-ipv4 term 1 then accept
set firewall family inet filter protect_re-ipv4 term <additional permit terms>
set firewall family inet filter protect_re-ipv4 term default then log
set firewall family inet filter protect_re-ipv4 term default then syslog
set firewall family inet filter protect_re-ipv4 term default then discard

set firewall family inet6 filter protect_re-ipv6 term 1 from source-prefix-list auth_mgt_networks-ipv6
set firewall family inet6 filter protect_re-ipv6 term 1 from destination-prefix-list device_mgt_address-ipv6
set firewall family inet6 filter protect_re-ipv6 term 1 from <additional match criteria>
set firewall family inet6 filter protect_re-ipv6 term 1 then accept
set firewall family inet6 filter protect_re-ipv6 term <additional permit terms>
set firewall family inet6 filter protect_re-ipv6 term default then log
set firewall family inet filter protect_re-ipv6 term default then syslog
set firewall family inet filter protect_re-ipv6 term default then discard

Example application on loopback:
set interfaces lo0 unit 0 family inet filter input protect_re-ipv4
set interfaces lo0 unit 0 family inet address <IPv4 address>/32
set interfaces lo0 unit 0 family inet6 filter input protect_re-ipv6
set interfaces lo0 unit 0 family inet6 address <IPv6 address>/128

The Juniper router must be configured to restrict traffic destined to itself.

Description

Remediation - Manual Procedure