STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

DISA Rule

SV-217084r639663_rule

Vulnerability Number

V-217084

Group Title

SRG-NET-000019-RTR-000005

Rule Version

JUNI-RT-000800

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the router to block admin-scoped multicast traffic at the multicast domain edge as shown in the example below:

[edit routing-options]
set multicast scope ADMINL_SCOPE interface ge-1/0/1.0 prefix 239.0.0.0/8
set multicast scope ADMINL_SCOPE interface ge-1/1/1.0 prefix 239.0.0.0/8

Check Contents

Review the router configuration to verify it is blocking admin-scope multicast traffic (239.0.0.0/8) at the multicast domain edge as shown in the example below:

routing-options {
…
…
…
multicast {
scope ADMIN_SCOPE {
prefix 239.0.0.0/8;
interface [ ge-1/0/1.0 ge-1/1/1.0 ];
}
}
}

If the router is not configured to block admin-scoped multicast traffic at the multicast domain edge, this is a finding.

Vulnerability Number

V-217084

Documentable

False

Rule Version

JUNI-RT-000800

Severity Override Guidance

Review the router configuration to verify it is blocking admin-scope multicast traffic (239.0.0.0/8) at the multicast domain edge as shown in the example below:

routing-options {
…
…
…
multicast {
scope ADMIN_SCOPE {
prefix 239.0.0.0/8;
interface [ ge-1/0/1.0 ge-1/1/1.0 ];
}
}
}

If the router is not configured to block admin-scoped multicast traffic at the multicast domain edge, this is a finding.

Check Content Reference

M

Target Key

4032

Comments