STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021: STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:SV-217014r639663_rule
V-217014
SRG-NET-000168-RTR-000077
JUNI-RT-000040
CAT II
10
Configure all routing protocol authentications to encrypt the authentication key.
OSPF Example:
[edit protocols ospf area 0.0.0.0]
set interface ge-0/0/0 authentication md5 1 key xxxxxxxxxxxx
set interface ge-0/1/0 authentication md5 1 key xxxxxxxxxxxx
set interface ge-0/2/0 authentication md5 1 key xxxxxxxxxxxx
IS-IS Example:
[edit security authentication-key-chains]
set key-chain ISIS_KEY key 1 options isis-enhanced
set key-chain ISIS_KEY key 2 options isis-enhanced
set key-chain ISIS_KEY key 3 options isis-enhanced
set key-chain ISIS_KEY key 1 start-time 2018-05-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx
set key-chain ISIS_KEY key 2 start-time 2018-09-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx
set key-chain ISIS_KEY key 3 start-time 2019-01-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx
[edit protocols]
set isis level 1 authentication-key-chain ISIS_KEY
set isis interface ge-0/0/0 level 1 hello-authentication-key-chain ISIS_KEY
set isis interface ge-0/0/0 level 2 hello-authentication-key-chain ISIS_KEY
BGP Example:
[edit security authentication-key-chains]
set key-chain BGP_KEY key 1 start-time 2018-05-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 2 start-time 2018-09-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 3 start-time 2019-01-01.12:00 secret xxxxxxxxxxxxx
[edit protocols bgp group AS_5]
set neighbor 11.1.25.5 authentication-algorithm hmac-sha-1-96
set neighbor 11.1.25.5 authentication-key-chain BGP_KEY
set neighbor 11.1.1.1 authentication-algorithm hmac-sha-1-96
set neighbor 11.1.1.1 authentication-key-chain BGP_KEY
Review the router configuration. For every routing protocol that affects the routing or forwarding tables, verify that neighbor router authentication is encrypting the authentication key as shown in the examples below.
OSPF Example:
protocols {
…
…
…
ospf {
area 0.0.0.0 {
interface ge-0/0/0 {
authentication {
md5 1 key "$8$NHVb2mPQ3nCYg/t"; ## SECRET-DATA
}
}
interface ge-0/1/0 {
authentication {
md5 1 key "$8$Lgb7NbHkPTQnVwF/"; ## SECRET-DATA
}
}
interface lo0.0;
interface ge-0/2/0 {
authentication {
md5 1 key "$8$7DdVY.mTF39s26A"; ## SECRET-DATA
}
}
}
}
}
IS-IS Example:
security {
…
…
…
}
authentication-key-chains {
key-chain ISIS_KEY {
key 1 {
secret "$8$W8oXxdji.f5F-VQn"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
key 2 {
secret "$8$Q4953nCrlMLX-9A7V"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
key 3 {
secret "$8$UeiHmpu1Ehr.PSe"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
}
}
}
protocols {
…
…
…
isis {
level 1 authentication-key-chain ISIS_KEY;
level 2 authentication-key-chain ISIS_KEY;
interface ge-0/0/0 {
level 1 hello-authentication-key-chain ISIS_KEY;
level 2 hello-authentication-key-chain ISIS_KEY;
}
interface lo0.0;
}
BGP Example:
security {
…
…
…
}
authentication-key-chains {
key-chain BGP_KEY {
key 1 {
secret "$8$PTQnhclvMX3687"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
}
key 2 {
secret "$8$iq.5OBESyKfTlM"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
}
key 3 {
secret "$8$ZADjqAtOIRSk.hr"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
}
}
protocols {
bgp {
group AS_2 {
type external;
peer-as 2;
neighbor 11.1.25.2 {
authentication-algorithm md5;
authentication-key-chain BGP_KEY;
}
neighbor 11.1.1.1 {
authentication-algorithm hmac-sha-1-96;
authentication-key-chain BGP_KEY;
}
}
}
If the routing protocol is not encrypting the authentication key, this is a finding.
V-217014
False
JUNI-RT-000040
Review the router configuration. For every routing protocol that affects the routing or forwarding tables, verify that neighbor router authentication is encrypting the authentication key as shown in the examples below.
OSPF Example:
protocols {
…
…
…
ospf {
area 0.0.0.0 {
interface ge-0/0/0 {
authentication {
md5 1 key "$8$NHVb2mPQ3nCYg/t"; ## SECRET-DATA
}
}
interface ge-0/1/0 {
authentication {
md5 1 key "$8$Lgb7NbHkPTQnVwF/"; ## SECRET-DATA
}
}
interface lo0.0;
interface ge-0/2/0 {
authentication {
md5 1 key "$8$7DdVY.mTF39s26A"; ## SECRET-DATA
}
}
}
}
}
IS-IS Example:
security {
…
…
…
}
authentication-key-chains {
key-chain ISIS_KEY {
key 1 {
secret "$8$W8oXxdji.f5F-VQn"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
key 2 {
secret "$8$Q4953nCrlMLX-9A7V"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
key 3 {
secret "$8$UeiHmpu1Ehr.PSe"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
algorithm hmac-sha-1;
options isis-enhanced;
}
}
}
}
protocols {
…
…
…
isis {
level 1 authentication-key-chain ISIS_KEY;
level 2 authentication-key-chain ISIS_KEY;
interface ge-0/0/0 {
level 1 hello-authentication-key-chain ISIS_KEY;
level 2 hello-authentication-key-chain ISIS_KEY;
}
interface lo0.0;
}
BGP Example:
security {
…
…
…
}
authentication-key-chains {
key-chain BGP_KEY {
key 1 {
secret "$8$PTQnhclvMX3687"; ## SECRET-DATA
start-time "2018-5-1.12:00:00 +0000";
}
key 2 {
secret "$8$iq.5OBESyKfTlM"; ## SECRET-DATA
start-time "2018-9-1.12:00:00 +0000";
}
key 3 {
secret "$8$ZADjqAtOIRSk.hr"; ## SECRET-DATA
start-time "2019-1-1.12:00:00 +0000";
}
}
protocols {
bgp {
group AS_2 {
type external;
peer-as 2;
neighbor 11.1.25.2 {
authentication-algorithm md5;
authentication-key-chain BGP_KEY;
}
neighbor 11.1.1.1 {
authentication-algorithm hmac-sha-1-96;
authentication-key-chain BGP_KEY;
}
}
}
If the routing protocol is not encrypting the authentication key, this is a finding.
M
4032