SV-217050r639663_rule
V-217050
SRG-NET-000205-RTR-000013
JUNI-RT-000450
CAT II
10
This requirement is not applicable for the DoDIN Backbone.
Ensure that all traffic from the managed network to the management network is secured via IPsec tunnel as shown in the configuration examples below.
Configure an IPsec tunnel to be used to transport the management traffic.
[edit security]
set ike proposal IKE_PHASE1_PROPOSAL authentication-method pre-shared-keys
set ike proposal IKE_PHASE1_PROPOSAL authentication-algorithm sha-256
set ike proposal IKE_PHASE1_PROPOSAL dh-group group14
set ike proposal IKE_PHASE1_PROPOSAL encryption-algorithm aes-128-cbc
set ike policy 10.1.25.2 proposals IKE_PHASE1_PROPOSAL
set ike policy 10.1.25.2 mode main
set ike policy 10.1.25.2 pre-shared-key ascii-text xxxxxxxxx
set ipsec proposal IPSEC_PHASE2_PROPOSAL protocol esp
set ipsec proposal IPSEC_PHASE2_PROPOSAL authentication-algorithm hmac-sha1-96
set ipsec proposal IPSEC_PHASE2_PROPOSAL encryption-algorithm aes-128-cbc
set policy IPSEC_POLICY perfect-forward-secrecy keys group14
set policy IPSEC_POLICY proposals xxxxx
set ipsec security-association IPSEC_SA_MGMT mode tunnel
set ipsec security-association IPSEC_SA_MGMT dynamic ipsec-policy IPSEC_POLICY
Configure a filter that will select which traffic to be forwarded via the IPsec tunnel by specifying the security association bound to the tunnel.
[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term OTHER then accept
This requirement is not applicable for the DoDIN Backbone.
Verify that all traffic from the managed network to the management network and vice-versa is secured via IPsec tunnel.
Review the security association within the IPsec configuration to be used for encapsulating the management traffic and verify that it is in tunnel mode. Also note the security association to be used.
security {
ipsec {
proposal IPSEC_PHASE2_PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy IPSEC_POLICY {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC_PHASE2_PROPOSAL;
}
security-association IPSEC-SA_XYZ {
description "For XYZ";
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "$8$oPJjH.P5F69mSHqPQn6u0RhSreW-dsZGi8XYoZDmP"; ## SECRET-DATA
}
}
}
}
security-association IPSEC_SA_MGMT {
description "IPsec Tunnel for Mgmt Traffic";
mode tunnel;
dynamic {
ipsec-policy IPSEC_POLICY;
}
}
}
ike {
proposal IKE_PHASE1_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy 10.1.25.2 {
mode main;
proposals IKE_PHASE1_PROPOSAL;
pre-shared-key ascii-text "$8$J4UDkCA01IcHqEy"; ## SECRET-DATA
}
}
Verify there is a filter to direct the management traffic to the IPsec tunnel by verifying the name of the IPsec SA referenced in the then statement as shown in the example below.
firewall {
family inet {
…
…
…
filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}
If the management traffic is not secured via IPsec tunnel, this is a finding.
V-217050
False
JUNI-RT-000450
This requirement is not applicable for the DoDIN Backbone.
Verify that all traffic from the managed network to the management network and vice-versa is secured via IPsec tunnel.
Review the security association within the IPsec configuration to be used for encapsulating the management traffic and verify that it is in tunnel mode. Also note the security association to be used.
security {
ipsec {
proposal IPSEC_PHASE2_PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy IPSEC_POLICY {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC_PHASE2_PROPOSAL;
}
security-association IPSEC-SA_XYZ {
description "For XYZ";
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "$8$oPJjH.P5F69mSHqPQn6u0RhSreW-dsZGi8XYoZDmP"; ## SECRET-DATA
}
}
}
}
security-association IPSEC_SA_MGMT {
description "IPsec Tunnel for Mgmt Traffic";
mode tunnel;
dynamic {
ipsec-policy IPSEC_POLICY;
}
}
}
ike {
proposal IKE_PHASE1_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy 10.1.25.2 {
mode main;
proposals IKE_PHASE1_PROPOSAL;
pre-shared-key ascii-text "$8$J4UDkCA01IcHqEy"; ## SECRET-DATA
}
}
Verify there is a filter to direct the management traffic to the IPsec tunnel by verifying the name of the IPsec SA referenced in the then statement as shown in the example below.
firewall {
family inet {
…
…
…
filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}
If the management traffic is not secured via IPsec tunnel, this is a finding.
M
4032