STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

SV-217095r639663_rule

Vulnerability Number

V-217095

Group Title

SRG-NET-000018-RTR-000007

Rule Version

JUNI-RT-000910

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the MSDP to implement an import policy to block multicast advertisements for undesirable multicast groups and sources.

Configure the source-active filter to reject undesirable multicast groups and sources as shown in the example below.

[edit policy-options]
set policy-statement SA_IMPORT term BAD_GROUPS from route-filter 224.0.1.2/32 exact
set policy-statement SA_IMPORT term BAD_GROUPS from route-filter 224.77.0.0/16 orlonger
set policy-statement SA_IMPORT term BAD_GROUPS then reject
set policy-statement SA_IMPORT term BAD_SOURCES from source-address-filter x.x.x.x/8 orlonger
set policy-statement SA_IMPORT term BAD_SOURCES from source-address-filter x.x.x.x/16 orlonger
set policy-statement SA_IMPORT term BAD_SOURCES then reject
set policy-statement SA_IMPORT term ACCEPT_OTHERS then accept

Configure the source-active filter to be an import filter.

[edit protocols msdp]
set import SA_IMPORT

Check Contents

Review the router configuration to determine if there is import policy to block source-active multicast advertisements for undesirable multicast groups and sources.

policy-options {



}
policy-statement SA_IMPORT {
term BAD_GROUPS {
from {
route-filter 224.0.1.2/32 exact;
route-filter 224.77.0.0/16 orlonger;
}
then reject;
}
term BAD_SOURCES {
from {
source-address-filter x.x.x.x /8 orlonger;
source-address-filter x.x.x.x /8 orlonger;

then accept;
}
}

Verify that an import source-active filter has been applied to MSDP.

protocols {



}
msdp {
import SA_IMPORT;

If the router is not configured with an import policy to block undesirable SA multicast advertisements, this is a finding.

Vulnerability Number

V-217095

Documentable

False

Rule Version

JUNI-RT-000910

Severity Override Guidance

Review the router configuration to determine if there is import policy to block source-active multicast advertisements for undesirable multicast groups and sources.

policy-options {



}
policy-statement SA_IMPORT {
term BAD_GROUPS {
from {
route-filter 224.0.1.2/32 exact;
route-filter 224.77.0.0/16 orlonger;
}
then reject;
}
term BAD_SOURCES {
from {
source-address-filter x.x.x.x /8 orlonger;
source-address-filter x.x.x.x /8 orlonger;

then accept;
}
}

Verify that an import source-active filter has been applied to MSDP.

protocols {



}
msdp {
import SA_IMPORT;

If the router is not configured with an import policy to block undesirable SA multicast advertisements, this is a finding.

Check Content Reference

M

Target Key

4032

Comments