STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

DISA Rule

SV-217051r639663_rule

Vulnerability Number

V-217051

Group Title

SRG-NET-000362-RTR-000124

Rule Version

JUNI-RT-000460

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure a filter to only accept bgp packets with a TTL of 255 as shown in the example below.

[edit firewall]
set filter GTSM_FILTER term TTL_SECURITY from protocol tcp port bgp ttl-except 255
set filter GTSM_FILTER term TTL_SECURITY then syslog discard
set filter GTSM_FILTER term ELSE_ACCEPT then accept

Apply the firewall filter to the inbound interface for all eBGP single-hop peer as shown in the example below.

[edit interfaces ge-0/0/0 unit 0 family inet]
set filter input-list INBOUND_FILTER
set filter input-list GTSM_FILTER

Check Contents

Verify that a filter has been configured to only allow BGP packets with a TTL of 255 as shown in the example below.

firewall {
…
…
…
filter GTSM_FILTER {
term TTL_SECURITY {
from {
protocol tcp;
ttl-except 255;
port bgp;
}
then {
syslog;
discard;
}
}
term ELSE_ACCEPT {
then accept;
}
}
}

Verify that the filter is applied to all interfaces connecting to eBGP peers.

interfaces {
…
…
…
ge-0/0/0 {
unit 0 {
family inet {
filter {
input-list [INBOUND_FILTER GTSM_FILTER];
}
address x.x.x.x/30;
}
}
}
}

Configure the router to send all BGP packets with a TTL of 255 as shown in the example below.

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Vulnerability Number

V-217051

Documentable

False

Rule Version

JUNI-RT-000460

Severity Override Guidance

Verify that a filter has been configured to only allow BGP packets with a TTL of 255 as shown in the example below.

firewall {
…
…
…
filter GTSM_FILTER {
term TTL_SECURITY {
from {
protocol tcp;
ttl-except 255;
port bgp;
}
then {
syslog;
discard;
}
}
term ELSE_ACCEPT {
then accept;
}
}
}

Verify that the filter is applied to all interfaces connecting to eBGP peers.

interfaces {
…
…
…
ge-0/0/0 {
unit 0 {
family inet {
filter {
input-list [INBOUND_FILTER GTSM_FILTER];
}
address x.x.x.x/30;
}
}
}
}

Configure the router to send all BGP packets with a TTL of 255 as shown in the example below.

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Check Content Reference

M

Target Key

4032

Comments