Title

The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces. (Cat II impact)

Discussion

Configuring user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic. Access interfaces also behave differently than trunked interfaces, especially with respect to control plane traffic. For example, access interfaces can be marked as "edge" for protocols like Rapid Spanning Tree (RSTP) or Multiple Spanning Tree (MSTP) where specific protections can be applied to prevent the switch from accepting Bridge Protocol Data Units (BPDU) from unauthorized sources and causing a network topology change or disruption. Additionally, network level protection mechanisms, like 802.1x or sticky-mac, are applied to access interfaces and these protection mechanisms help prevent unauthorized network access.

Check Content

Review the switch configuration and examine all user-facing or untrusted interfaces and verify the interface mode command is not present or, if present, is not configured with the keyword "trunk". Default interface-mode access for interface configured with family ethernet-switching. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { } } } Note: Because the default interface-mode is "access", an interface configured for family ethernet-switching and without an "interface-mode" declaration is automatically an access interface. Interfaces explicitly configured mode access. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode access; } } } If any of the user-facing access interfaces are configured as a trunk, this is a finding.

Fix Text

Disable trunking on all user-facing or untrusted access interfaces. Deleting interface-mode from the configuration automatically assigns mode access: delete interfaces <interface name> unit 0 family ethernet-switching interface-mode Explicitly configure mode access for a user-facing or untrusted interface: set interfaces <interface name> unit 0 family ethernet-switching interface-mode access

Additional Identifiers

Rule ID: SV-253970r843943_rule

Vulnerability ID: V-253970

Group Title: SRG-NET-000512-L2S-000011

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.