STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.

DISA Rule

SV-217058r639663_rule

Vulnerability Number

V-217058

Group Title

SRG-NET-000018-RTR-000006

Rule Version

JUNI-RT-000530

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the router to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute using the enforce-first-as command as shown in the example below:

[edit protocols bgp group]
set enforce-first-as

Check Contents

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. Verify that the enforce-first-as command has been configured at the BGP or group hierarchy as shown in the example below:

protocols {



bgp {
enforce-first-as;

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Vulnerability Number

V-217058

Documentable

False

Rule Version

JUNI-RT-000530

Severity Override Guidance

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. Verify that the enforce-first-as command has been configured at the BGP or group hierarchy as shown in the example below:

protocols {



bgp {
enforce-first-as;

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Check Content Reference

M

Target Key

4032

Comments