STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper perimeter router must be configured to filter traffic destined to the enclave in accordance with the guidelines contained in DoD Instruction 8551.1.

DISA Rule

SV-217037r639663_rule

Vulnerability Number

V-217037

Group Title

SRG-NET-000205-RTR-000003

Rule Version

JUNI-RT-000320

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure the router to use an inbound filter on all external interfaces as shown in the example below to restrict traffic in accordance with the guidelines contained in DOD Instruction 8551.1.

set filter INBOUND_FILTER term ALLOW_ABC from protocol tcp destination-port abc
set filter INBOUND_FILTER term ALLOW_ABC then accept
set filter INBOUND_FILTER term ALLOW_XYZ from protocol tcp destination-port xyz
set filter INBOUND_FILTER term ALLOW_XYZ then accept
set filter INBOUND_FILTER term DENY_ALL_OTHER then syslog reject

[edit interfaces ge-0/0/0 unit 0 family inet]
set filter input INBOUND_FILTER

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the router configuration to verify that the ingress filter is in accordance with DoD 8551.

Verify that an inbound filter is configured on all external interfaces.

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
input INBOUND_FILTER;
}
address 11.1.12.2/24;
}
}
}

Review the inbound filter to verify that it is filtering traffic in accordance with DoD 8551.

firewall {
family inet {
filter INBOUND_FILTER {
term ALLOW_ABC {
from {
protocol tcp;
destination-port abc;
}
then accept;
}
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
term DENY_ALL_OTHER {
then {
syslog;
reject;
}
}
}
}

If the router does not filter traffic in accordance with the guidelines contained in DoD 8551, this is a finding.

Vulnerability Number

V-217037

Documentable

False

Rule Version

JUNI-RT-000320

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the router configuration to verify that the ingress filter is in accordance with DoD 8551.

Verify that an inbound filter is configured on all external interfaces.

interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
input INBOUND_FILTER;
}
address 11.1.12.2/24;
}
}
}

Review the inbound filter to verify that it is filtering traffic in accordance with DoD 8551.

firewall {
family inet {
filter INBOUND_FILTER {
term ALLOW_ABC {
from {
protocol tcp;
destination-port abc;
}
then accept;
}
term ALLOW_XYZ {
from {
protocol xyz;
}
then accept;
}
term DENY_ALL_OTHER {
then {
syslog;
reject;
}
}
}
}

If the router does not filter traffic in accordance with the guidelines contained in DoD 8551, this is a finding.

Check Content Reference

M

Target Key

4032

Comments