STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.

DISA Rule

SV-217089r639663_rule

Vulnerability Number

V-217089

Group Title

SRG-NET-000364-RTR-000114

Rule Version

JUNI-RT-000850

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups that have been approved.

Configure a multicast join policy to filter groups that have not been approved as shown in the example below.

[edit policy-options policy-statement MULTICAST_JOIN_POLICY]
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
set term BAD_GROUPS from route-filter 239.0.0.0/8 orlonger
set term BAD_GROUPS then reject
set term ALLOW_APPROVED then accept

Apply the policy to all interfaces enabled for IGMP.

[edit protocols igmp]
set interface ge-1/0/1.0 group-policy MULTICAST_JOIN_POLICY

Check Contents

Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to join only those groups that have been approved.

Verify that a group policy has been configured to filter IGMP join requests as shown in the example below.

protocols {
igmp {
interface ge-1/0/1.0 {
group-policy MULTICAST_JOIN_POLICY;
}
}

Verify that the group policy only allows join requests for those groups that have been approved.

policy-options {



}
policy-statement MULTICAST_JOIN_POLICY {



}
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 239.0.0.0/8 orlonger;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_APPROVED {
then accept;
}
}

Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the Rendezvous Point router.

If the DR is not filtering IGMP or MLD report messages to only allow joins for approved groups, this is a finding.

Vulnerability Number

V-217089

Documentable

False

Rule Version

JUNI-RT-000850

Severity Override Guidance

Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to join only those groups that have been approved.

Verify that a group policy has been configured to filter IGMP join requests as shown in the example below.

protocols {
igmp {
interface ge-1/0/1.0 {
group-policy MULTICAST_JOIN_POLICY;
}
}

Verify that the group policy only allows join requests for those groups that have been approved.

policy-options {



}
policy-statement MULTICAST_JOIN_POLICY {



}
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 239.0.0.0/8 orlonger;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_APPROVED {
then accept;
}
}

Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the Rendezvous Point router.

If the DR is not filtering IGMP or MLD report messages to only allow joins for approved groups, this is a finding.

Check Content Reference

M

Target Key

4032

Comments