The Juniper router must be configured to restrict traffic destined to itself.
An XCCDF Rule
Description
<VulnDiscussion>The routing engine (RE) handles traffic destined to the router—the key component used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the RE can result in mission critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-254010r844063_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Configure all routers with receive path filters to restrict traffic destined to the router.
Example prefix lists for management networks and the device management address(es):
set prefix-list auth_mgt_networks-ipv4 <IPv4 subnet / mask>
set prefix-list auth_mgt_networks-ipv6 <IPv6 subnet / mask>
set prefix-list device_mgt_address-ipv4 <IPv4 address>/32