The Juniper router must be configured to restrict traffic destined to itself.

An XCCDF Rule

Description

The Routing Engine handles traffic destined to the router—the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or DoS attack to the Routing Engine can result in mission critical network outages.

ID: SV-217019r604135_rule
Version: JUNI-RT-000130
Severity: High
References: CCI-001097
Updated: about 2 months ago

Remediation Templates

Configure the router’s receive path filters to restrict traffic destined to the router.

Configure a filter to define what traffic should be received by the Routing Engine.

[edit firewall family inet]
set filter DESTINED_TO_RP term FILTER_TCP from destination-address 11.1.12.0/24  set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port ssh
set filter DESTINED_TO_RP term FILTER_TCP from protocol tcp destination-port tacacs
set filter DESTINED_TO_RP term FILTER_TCP then accept
set filter DESTINED_TO_RP term FILTER_UDP from destination-address 11.1.12.0/24  
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port ntp
set filter DESTINED_TO_RP term FILTER_UDP from protocol udp destination-port snmp
set filter DESTINED_TO_RP term FILTER_UDP then accept
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp 
set filter DESTINED_TO_RP term ICMP_ANY from protocol icmp then accept
set filter DESTINED_TO_RP term DENY_BY_DEFAULT then log discard

Apply the filter to the loopback interface.

[edit interfaces lo0 unit 0 family inet] 
set filter input-list DESTINED_TO_RP.

The Juniper router must be configured to restrict traffic destined to itself.

Description

Remediation Templates

A Manual Procedure