STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

DISA Rule

SV-217059r639663_rule

Vulnerability Number

V-217059

Group Title

SRG-NET-000018-RTR-000010

Rule Version

JUNI-RT-000535

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Step 1: Configure a policy to filter the AS_PATH as shown in the example below:

[edit policy-options]
set as-path PEER_ASx "^x$"
set policy-statement FILTER_ASx term ALLOW_ASx from as-path PEER_ASx
set policy-statement FILTER_ASx term ALLOW_ASx then accept
set policy-statement FILTER_ASx term ELSE_REJECT then reject

Step 2: Apply the import policy as shown in the example below:

[edit protocols bgp group GROUP_ASx]
set import [FILTER_AS4 FILTER_ROUTES]

Check Contents

This requirement is not applicable for the DODIN Backbone.”

Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Verify a policy has been configured to filter AS_PATH attribute for received BGP advertisements as shown in the example below:

policy-options {



policy-statement FILTER_ASx {
term ALLOW_ASx {
from as-path PEER_ASx;
then accept;
}
term ELSE_REJECT {
then reject;
}
}



as-path PEER_ASx "^x$";
}

Note: the characters “^” and “$” representing the beginning and the end of the expression respectively are optional and are implicitly defined if omitted.
Step 2: Verify that the import policy has been applied to all external BGP peers as shown in the example below:

protocols {
bgp {
group GROUP_ASx {
type external;
import [ FILTER_ASx FILTER_ROUTES ];
peer-as x;
neighbor x.x.x.x;
}

If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.

Vulnerability Number

V-217059

Documentable

False

Rule Version

JUNI-RT-000535

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.”

Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Verify a policy has been configured to filter AS_PATH attribute for received BGP advertisements as shown in the example below:

policy-options {



policy-statement FILTER_ASx {
term ALLOW_ASx {
from as-path PEER_ASx;
then accept;
}
term ELSE_REJECT {
then reject;
}
}



as-path PEER_ASx "^x$";
}

Note: the characters “^” and “$” representing the beginning and the end of the expression respectively are optional and are implicitly defined if omitted.
Step 2: Verify that the import policy has been applied to all external BGP peers as shown in the example below:

protocols {
bgp {
group GROUP_ASx {
type external;
import [ FILTER_ASx FILTER_ROUTES ];
peer-as x;
neighbor x.x.x.x;
}

If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.

Check Content Reference

M

Target Key

4032

Comments