STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

DISA Rule

SV-217053r639663_rule

Vulnerability Number

V-217053

Group Title

SRG-NET-000018-RTR-000002

Rule Version

JUNI-RT-000480

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the router to reject inbound route advertisements for any Bogon prefixes.

Configure a prefix list containing the current Bogon prefixes as shown below.

[edit policy-options]
set prefix-list BOGON_PREFIXES 0.0.0.0/8
set prefix-list BOGON_PREFIXES 10.0.0.0/8
set prefix-list BOGON_PREFIXES 100.64.0.0/10
set prefix-list BOGON_PREFIXES 127.0.0.0/8
set prefix-list BOGON_PREFIXES 169.254.0.0/16
set prefix-list BOGON_PREFIXES 172.16.0.0/12
set prefix-list BOGON_PREFIXES 192.0.0.0/24
set prefix-list BOGON_PREFIXES 192.0.2.0/24
set prefix-list BOGON_PREFIXES 192.168.0.0/16
set prefix-list BOGON_PREFIXES 198.18.0.0/15
set prefix-list BOGON_PREFIXES 198.51.100.0/24
set prefix-list BOGON_PREFIXES 203.0.113.0/24
set prefix-list BOGON_PREFIXES 224.0.0.0/4
set prefix-list BOGON_PREFIXES 240.0.0.0/4

Configure a policy-statement to reject Bogon prefixes.

set policy-statement FILTER_ROUTES term REJECT_BOGONS from prefix-list BOGON_PREFIXES
set policy-statement FILTER_ROUTES term REJECT_BOGONS then reject
set policy-statement FILTER_ROUTES term ACCEPT_OTHER then accept

Configure an import statement referencing the policy to reject Bogons on all external BGP peers.

[edit protocols bgp group GROUP_AS4]
set import FILTER_ROUTES

Check Contents

Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes.

Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below.

policy-options {
prefix-list BOGON_PREFIXES {
0.0.0.0/8;
10.0.0.0/8;
100.64.0.0/10;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/4;
240.0.0.0/4;
}
}

Verify that a policy has been configured to reject the Bogon prefixes.

policy-options {



policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term ACCEPT_OTHERS {
then accept;
}
}
}

Verify that the configured policy to filter Bogons has been applied to external BGP peers as shown in the example below.

protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}

If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding.

Vulnerability Number

V-217053

Documentable

False

Rule Version

JUNI-RT-000480

Severity Override Guidance

Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes.

Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below.

policy-options {
prefix-list BOGON_PREFIXES {
0.0.0.0/8;
10.0.0.0/8;
100.64.0.0/10;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/4;
240.0.0.0/4;
}
}

Verify that a policy has been configured to reject the Bogon prefixes.

policy-options {



policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term ACCEPT_OTHERS {
then accept;
}
}
}

Verify that the configured policy to filter Bogons has been applied to external BGP peers as shown in the example below.

protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}

If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding.

Check Content Reference

M

Target Key

4032

Comments