The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

An XCCDF Rule

Description

<VulnDiscussion>If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. It is imperative that hosts from the managed network are not able to access the OOBM gateway router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254020r844093_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

This requirement is not applicable for the DODIN Backbone.

Ensure that traffic from the managed network is not able to access the OOBM gateway router using either receive path or interface firewall filters.

set policy-options prefix-list OOBM-ipv4 <IPv4 address>/<mask>
set policy-options prefix-list OOBM-ipv6 <IPv6 address>/<prefix>
set firewall family inet filter protect-re-ipv4 term 1 from source-prefix-list OOBM-ipv4
set firewall family inet filter protect-re-ipv4 term 1 from destination-prefix-list router-ipv4
set firewall family inet filter protect-re-ipv4 term 1 then accept
<additional terms for authorized traffic like OSPF or BGP>
set firewall family inet filter protect-re-ipv4 term default then log
set firewall family inet filter protect-re-ipv4 term default then syslog
set firewall family inet filter protect-re-ipv4 term default then discard

set firewall family inet filter protect-re-ipv6 term 1 from source-prefix-list OOBM-ipv6
set firewall family inet filter protect-re-ipv6 term 1 from destination-prefix-list router-ipv6
set firewall family inet filter protect-re-ipv6 term 1 then accept
<additional terms for authorized traffic like OSPF or BGP>
set firewall family inet filter protect-re-ipv6 term default then log
set firewall family inet filter protect-re-ipv6 term default then syslog
set firewall family inet filter protect-re-ipv6 term default then discard

set interfaces lo0 unit 0 family inet filter input protect-re-ipv4
set interfaces lo0 unit 0 family inet address <IPv4 address>/<mask>
set interfaces lo0 unit 0 family inet6 filter input protect-re-ipv6
set interfaces lo0 unit 0 family inet6 address <IPv6 address>/<prefix>

The Juniper out-of-band management (OOBM) gateway router must be configured to block any traffic destined to itself that is not sourced from the OOBM network or the NOC.

Description

Remediation - Manual Procedure