STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured to ignore or block all packets with any IP options.

DISA Rule

SV-217078r639663_rule

Vulnerability Number

V-217078

Group Title

SRG-NET-000205-RTR-000016

Rule Version

JUNI-RT-000730

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the router to drop all packets with IP options.

[edit firewall family inet filter INGRESS_FILTER]
set term BLOCK_IP_OPTIONS from ip-options any
set term BLOCK_IP_OPTIONS then discard
insert term BLOCK_IP_OPTIONS before term ALLOW_TRANSIT_TRAFFIC

Check Contents

Review the router configuration to determine if it will block all packets with IP options.

firewall {
family inet {
filter INGRESS_FILTER {
term BLOCK_TO_CORE {
from {
destination-address {
x.x.x.x/8;
}
}
then {
log;
discard;
}
}
term BLOCK_IP_OPTIONS {
from {
ip-options any;
}
then {
discard;
}
}
term ALLOW_TRANSIT_TRAFFIC {
then accept;
}
}
}

If the router is not configured to drop all packets with IP options, this is a finding.

Vulnerability Number

V-217078

Documentable

False

Rule Version

JUNI-RT-000730

Severity Override Guidance

Review the router configuration to determine if it will block all packets with IP options.

firewall {
family inet {
filter INGRESS_FILTER {
term BLOCK_TO_CORE {
from {
destination-address {
x.x.x.x/8;
}
}
then {
log;
discard;
}
}
term BLOCK_IP_OPTIONS {
from {
ip-options any;
}
then {
discard;
}
}
term ALLOW_TRANSIT_TRAFFIC {
then accept;
}
}
}

If the router is not configured to drop all packets with IP options, this is a finding.

Check Content Reference

M

Target Key

4032

Comments