STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.

DISA Rule

SV-217033r639663_rule

Vulnerability Number

V-217033

Group Title

SRG-NET-000019-RTR-000008

Rule Version

JUNI-RT-000280

Severity

CAT I

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure the ingress filter of the perimeter router connected to an alternate gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider as shown in the example below.

[edit firewall family inet filter ISP_FILTER]
set term RESTRICT_DESTINATION from destination-address 0.0.0.0/0
set term RESTRICT_DESTINATION from destination-address 11.1.0.0/16 except
set term RESTRICT_DESTINATION then syslog discard
insert term RESTRICT_DESTINATION before term ALLOW_XYZ

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Verify the interface connecting to ISP has an inbound filter as shown in the example below.

interfaces {
ge-0/0/0 {
description "Verizon ISP link";
unit 0 {
family inet {
filter {
input ISP_FILTER;
}
address 11.1.12.2/24;
}
}
}

Verify that the filter only allows traffic to specific destination addresses (i.e. enclave’s NIPRNet address space) as shown in the example below.

firewall {
family inet {
filter ISP_FILTER {
term RESTRICT_DESTINATION {
from {
destination-address {
0.0.0.0/0;
11.1.0.0/16 except;
}
}
then {
syslog;
discard;
}
}
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
…
…
…
term DENY_ALL_OTHER {
then {
syslog;
reject;
}
}
}

If the ingress filter bound to the interface connecting to an alternate gateway permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider, this is a finding.

Vulnerability Number

V-217033

Documentable

False

Rule Version

JUNI-RT-000280

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Verify the interface connecting to ISP has an inbound filter as shown in the example below.

interfaces {
ge-0/0/0 {
description "Verizon ISP link";
unit 0 {
family inet {
filter {
input ISP_FILTER;
}
address 11.1.12.2/24;
}
}
}

Verify that the filter only allows traffic to specific destination addresses (i.e. enclave’s NIPRNet address space) as shown in the example below.

firewall {
family inet {
filter ISP_FILTER {
term RESTRICT_DESTINATION {
from {
destination-address {
0.0.0.0/0;
11.1.0.0/16 except;
}
}
then {
syslog;
discard;
}
}
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
…
…
…
term DENY_ALL_OTHER {
then {
syslog;
reject;
}
}
}

If the ingress filter bound to the interface connecting to an alternate gateway permits packets with addresses other than those specified, such as destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the alternate gateway network service provider, this is a finding.

Check Content Reference

M

Target Key

4032

Comments