STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper router providing connectivity to the NOC must be configured to forward all in-band management traffic via an IPsec tunnel.

DISA Rule

SV-217050r639663_rule

Vulnerability Number

V-217050

Group Title

SRG-NET-000205-RTR-000013

Rule Version

JUNI-RT-000450

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DoDIN Backbone.

Ensure that all traffic from the managed network to the management network is secured via IPsec tunnel as shown in the configuration examples below.

Configure an IPsec tunnel to be used to transport the management traffic.

[edit security]
set ike proposal IKE_PHASE1_PROPOSAL authentication-method pre-shared-keys
set ike proposal IKE_PHASE1_PROPOSAL authentication-algorithm sha-256
set ike proposal IKE_PHASE1_PROPOSAL dh-group group14
set ike proposal IKE_PHASE1_PROPOSAL encryption-algorithm aes-128-cbc
set ike policy 10.1.25.2 proposals IKE_PHASE1_PROPOSAL
set ike policy 10.1.25.2 mode main
set ike policy 10.1.25.2 pre-shared-key ascii-text xxxxxxxxx
set ipsec proposal IPSEC_PHASE2_PROPOSAL protocol esp
set ipsec proposal IPSEC_PHASE2_PROPOSAL authentication-algorithm hmac-sha1-96
set ipsec proposal IPSEC_PHASE2_PROPOSAL encryption-algorithm aes-128-cbc
set policy IPSEC_POLICY perfect-forward-secrecy keys group14
set policy IPSEC_POLICY proposals xxxxx
set ipsec security-association IPSEC_SA_MGMT mode tunnel
set ipsec security-association IPSEC_SA_MGMT dynamic ipsec-policy IPSEC_POLICY

Configure a filter that will select which traffic to be forwarded via the IPsec tunnel by specifying the security association bound to the tunnel.

[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term OTHER then accept

Check Contents

This requirement is not applicable for the DoDIN Backbone.

Verify that all traffic from the managed network to the management network and vice-versa is secured via IPsec tunnel.

Review the security association within the IPsec configuration to be used for encapsulating the management traffic and verify that it is in tunnel mode. Also note the security association to be used.

security {
ipsec {
proposal IPSEC_PHASE2_PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy IPSEC_POLICY {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC_PHASE2_PROPOSAL;
}
security-association IPSEC-SA_XYZ {
description "For XYZ";
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "$8$oPJjH.P5F69mSHqPQn6u0RhSreW-dsZGi8XYoZDmP"; ## SECRET-DATA
}
}
}
}
security-association IPSEC_SA_MGMT {
description "IPsec Tunnel for Mgmt Traffic";
mode tunnel;
dynamic {
ipsec-policy IPSEC_POLICY;
}
}
}
ike {
proposal IKE_PHASE1_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy 10.1.25.2 {
mode main;
proposals IKE_PHASE1_PROPOSAL;
pre-shared-key ascii-text "$8$J4UDkCA01IcHqEy"; ## SECRET-DATA
}
}

Verify there is a filter to direct the management traffic to the IPsec tunnel by verifying the name of the IPsec SA referenced in the then statement as shown in the example below.

firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}

If the management traffic is not secured via IPsec tunnel, this is a finding.

Vulnerability Number

V-217050

Documentable

False

Rule Version

JUNI-RT-000450

Severity Override Guidance

This requirement is not applicable for the DoDIN Backbone.

Verify that all traffic from the managed network to the management network and vice-versa is secured via IPsec tunnel.

Review the security association within the IPsec configuration to be used for encapsulating the management traffic and verify that it is in tunnel mode. Also note the security association to be used.

security {
ipsec {
proposal IPSEC_PHASE2_PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy IPSEC_POLICY {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC_PHASE2_PROPOSAL;
}
security-association IPSEC-SA_XYZ {
description "For XYZ";
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "$8$oPJjH.P5F69mSHqPQn6u0RhSreW-dsZGi8XYoZDmP"; ## SECRET-DATA
}
}
}
}
security-association IPSEC_SA_MGMT {
description "IPsec Tunnel for Mgmt Traffic";
mode tunnel;
dynamic {
ipsec-policy IPSEC_POLICY;
}
}
}
ike {
proposal IKE_PHASE1_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy 10.1.25.2 {
mode main;
proposals IKE_PHASE1_PROPOSAL;
pre-shared-key ascii-text "$8$J4UDkCA01IcHqEy"; ## SECRET-DATA
}
}

Verify there is a filter to direct the management traffic to the IPsec tunnel by verifying the name of the IPsec SA referenced in the then statement as shown in the example below.

firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}

If the management traffic is not secured via IPsec tunnel, this is a finding.

Check Content Reference

M

Target Key

4032

Comments