STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

DISA Rule

SV-217013r639663_rule

Vulnerability Number

V-217013

Group Title

SRG-NET-000230-RTR-000003

Rule Version

JUNI-RT-000030

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below.

[edit security authentication-key-chains]
set key-chain BGP_KEY key 1 start-time 2018-05-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 2 start-time 2018-09-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 3 start-time 2019-01-01.12:00 secret xxxxxxxxxxxxx
}

[edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0]
set authentication md5 1 key xxxxxxxx start-time 2018-01-01.01:01
set authentication md5 2 key xxxxxxxx start-time 2018-04-01.01:01
set authentication md5 3 key xxxxxxxx start-time 2018-08-01.01:01

Note: Currently Junos does not support key chains for RIP.

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the examples below.

security {



authentication-key-chains {
key-chain BGP_KEY {
key 1 {
secret "$8$PTQnhclvMX3687"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
}
key 2 {
secret "$8$iq.5OBESyKfTlM"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
}
key 3 {
secret "$8$ZADjqAtOIRSk.hr"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
}
}
}
}

ospf {
area 0.0.0.0 {
interface ge-0/0/0.0 {
authentication {
md5 1 key "$8$P5T36/t0ORDi.5F3tp" start-time "2018-1-1.01:01:00 +0000"; ## SECRET-DATA
md5 2 key "$8$S.oevLbwg4aUvWxn" start-time "2018-4-1.01:01:00 +0000"; ## SECRET-DATA
md5 3 key "$8$SInrWxbO1hcYg4ajH" start-time "2018-8-1.01:01:00 +0000"; ## SECRET-DATA
}
}
}
}

If each key used for routing protocol authentication does not have a lifetime of no more than 180 days, this is a finding.

Vulnerability Number

V-217013

Documentable

False

Rule Version

JUNI-RT-000030

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the examples below.

security {



authentication-key-chains {
key-chain BGP_KEY {
key 1 {
secret "$8$PTQnhclvMX3687"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
}
key 2 {
secret "$8$iq.5OBESyKfTlM"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
}
key 3 {
secret "$8$ZADjqAtOIRSk.hr"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
}
}
}
}

ospf {
area 0.0.0.0 {
interface ge-0/0/0.0 {
authentication {
md5 1 key "$8$P5T36/t0ORDi.5F3tp" start-time "2018-1-1.01:01:00 +0000"; ## SECRET-DATA
md5 2 key "$8$S.oevLbwg4aUvWxn" start-time "2018-4-1.01:01:00 +0000"; ## SECRET-DATA
md5 3 key "$8$SInrWxbO1hcYg4ajH" start-time "2018-8-1.01:01:00 +0000"; ## SECRET-DATA
}
}
}
}

If each key used for routing protocol authentication does not have a lifetime of no more than 180 days, this is a finding.

Check Content Reference

M

Target Key

4032

Comments