STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.

DISA Rule

SV-217049r639663_rule

Vulnerability Number

V-217049

Group Title

SRG-NET-000205-RTR-000012

Rule Version

JUNI-RT-000440

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress filter.

Configure an inbound filter a shown in the example below.

[edit firewall family inet]
set filter OOBM_INBOUND term ALLOW_SNMP from protocol udp port snmp
set filter OOBM_INBOUND term ALLOW_SNMP then accept
set filter OOBM_INBOUND term ALLOW_TACACS from protocol tcp port tacacs
set filter OOBM_INBOUND term ALLOW_TACACS then accept
set filter OOBM_INBOUND term ALLOW_SSH from protocol tcp port ssh
set filter OOBM_INBOUND term ALLOW_SSH then accept
set filter OOBM_INBOUND term ALLOW_NTP from protocol udp port ntp
set filter OOBM_INBOUND term ALLOW_NTP then accept
set filter OOBM_INBOUND term ALLOW_ICMP from protocol icmp
set filter OOBM_INBOUND term ALLOW_ICMP then accept
set filter OOBM_INBOUND term DENY_OTHER then syslog discard

Configure an outbound filter a shown in the example below.

set filter OOBM_OUTBOUND term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter OOBM_OUTBOUND term ALLOW_SNMP then accept
set filter OOBM_OUTBOUND term ALLOW_TACACS from protocol tcp port tacacs
set filter OOBM_OUTBOUND term ALLOW_TACACS then accept
set filter OOBM_OUTBOUND term ALLOW_SSH from protocol tcp port ssh
set filter OOBM_OUTBOUND term ALLOW_SSH then accept
set filter OOBM_OUTBOUND term ALLOW_NTP from protocol udp port ntp
set filter OOBM_OUTBOUND term ALLOW_NTP then accept
set filter OOBM_OUTBOUND term ALLOW_SYSLOG from protocol udp port
set filter OOBM_OUTBOUND term ALLOW_SYSLOG then accept
set filter OOBM_OUTBOUND term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter OOBM_OUTBOUND term ALLOW_NETFLOW then accept
set filter OOBM_OUTBOUND term DENY_OTHER then syslog discard

Apply the filters to the OOBM interfaces.

[edit interfaces ge-0/0/0 unit 0 family inet]
set filter input OOBM_INBOUND
set filter output OOBM_OUTBOUND

Check Contents

Verify that the managed interface has an inbound and outbound filter configured.

interfaces {
…
…
…
ge-0/0/0 {
description "OOBM Network";
unit 0 {
family inet {
filter {
input OOBM_INBOUND;
output OOBM_OUTBOUND;
}
address 10.2.14.1/24;
}
}
}

Verify that the ingress filter only allows management and ICMP traffic.

firewall {
family inet {
…
…
…
filter OOBM_INBOUND {
term ALLOW_SNMP {
from {
protocol udp;
port snmp;
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_ICMP {
from {
protocol icmp;
}
then accept;
}
term ALLOW_SSH {
from {
protocol tcp;
port ssh;
}
then accept;
}
term ALLOW_NTP {
from {
protocol tcp;
port ntp;
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}
}

Verify that the ingress filter only allows management and ICMP traffic.

firewall {
family inet {
…
…
…
filter OOBM_OUTBOUND {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_SSH {
from {
protocol tcp;
port ssh;
}
then accept;
}
term ALLOW_NTP {
from {
protocol udp;
port ntp;
}
then accept;
}
term ALLOW_SYSLOG {
from {
protocol udp;
port syslog;
}
then accept;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}
}

Caveat: If the management interface is a true OOBM interface, this requirement is not applicable.

If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Vulnerability Number

V-217049

Documentable

False

Rule Version

JUNI-RT-000440

Severity Override Guidance

Verify that the managed interface has an inbound and outbound filter configured.

interfaces {
…
…
…
ge-0/0/0 {
description "OOBM Network";
unit 0 {
family inet {
filter {
input OOBM_INBOUND;
output OOBM_OUTBOUND;
}
address 10.2.14.1/24;
}
}
}

Verify that the ingress filter only allows management and ICMP traffic.

firewall {
family inet {
…
…
…
filter OOBM_INBOUND {
term ALLOW_SNMP {
from {
protocol udp;
port snmp;
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_ICMP {
from {
protocol icmp;
}
then accept;
}
term ALLOW_SSH {
from {
protocol tcp;
port ssh;
}
then accept;
}
term ALLOW_NTP {
from {
protocol tcp;
port ntp;
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}
}

Verify that the ingress filter only allows management and ICMP traffic.

firewall {
family inet {
…
…
…
filter OOBM_OUTBOUND {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_SSH {
from {
protocol tcp;
port ssh;
}
then accept;
}
term ALLOW_NTP {
from {
protocol udp;
port ntp;
}
then accept;
}
term ALLOW_SYSLOG {
from {
protocol udp;
port syslog;
}
then accept;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}
}

Caveat: If the management interface is a true OOBM interface, this requirement is not applicable.

If the router does not restrict traffic that ingresses and egresses the management interface, this is a finding.

Check Content Reference

M

Target Key

4032

Comments