STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

DISA Rule

SV-217045r639663_rule

Vulnerability Number

V-217045

Group Title

SRG-NET-000205-RTR-000010

Rule Version

JUNI-RT-000400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Configure filters to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data as shown in the examples below.

OOBM Link
[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then accept
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then accept
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then accept
set filter MGMT_TRAFFIC term DENY_OTHER then syslog discard

[edit interfaces ge-1/1/0 unit 0 family inet]
set filter output MGMT_TRAFFIC

IPsec Tunnel
[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term OTHER then accept

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel.

If an OOBM link is used, verify that the only authorized management traffic is transported to the NOC by reviewing the outbound filter applied to the OOBM interface as shown in the example below.

interfaces {
description "OOBM Net";
ge-1/1/0 {
unit 0 {
family inet {
filter {
output MGMT_TRAFFIC;
}
address 10.2.22.2/24;
}
}
}



firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}

If an IPsec tunnel is used, verify that the only authorized management traffic is transported to the NOC by reviewing the filter referencing the applicable security association as shown int example below.

firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Vulnerability Number

V-217045

Documentable

False

Rule Version

JUNI-RT-000400

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel.

If an OOBM link is used, verify that the only authorized management traffic is transported to the NOC by reviewing the outbound filter applied to the OOBM interface as shown in the example below.

interfaces {
description "OOBM Net";
ge-1/1/0 {
unit 0 {
family inet {
filter {
output MGMT_TRAFFIC;
}
address 10.2.22.2/24;
}
}
}



firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}

If an IPsec tunnel is used, verify that the only authorized management traffic is transported to the NOC by reviewing the filter referencing the applicable security association as shown int example below.

firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Check Content Reference

M

Target Key

4032

Comments