An error occurred:

Check: JUEX-L2-000040

Juniper EX Series Switches Layer 2 Switch STIG: JUEX-L2-000040 (in version v2 r2)

Title

The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. (Cat II impact)

Discussion

DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). A Junos OS classifier identifies and separates traffic flows and provides the means to prioritize traffic later in the class-of-service (CoS) process. By default, Junos implements a standard CoS (QoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NE). A behavior aggregate (BA) classifier performs this function by associating discriminating values with forwarding classes and loss priorities. Unless overridden, Junos OS applies the default CoS to all interfaces. Junos OS provides multiple predefined BA classifier types, which the site can combine and supplement with custom CoS configuration as needed to achieve overall traffic classification goals.

Check Content

From the CLI configuration mode: 1. Type "show class-of-service". 2. Review the CoS configuration to verify it implements the QoS requirements of the System Security Plan (SSP). 2. Type "show class-of-service interface" to verify the CoS policy is applied to the interfaces in accordance with the SSP. If the switch is not configured to implement a CoS policy, this is a finding.

Fix Text

1. Configure and enable a CoS policy using the commands in the example stanza below. 2. Replace the variables in the example commands with meaningful, site-specific names, rates, and values that are appropriate for the target environment. Operational test the settings. 3. Configure queues for each type of traffic based on the priorities established in the site's SSP. Note: The following example configured DSCP. However, other BA classifier types may also be configured to implement the site's QoS requirements. Refer to the vendor documentation. user@host# set class-of-service classifiers dscp <classifier name> import default user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low|high> code-points <DSCP code point> user@host# set class-of-service classifiers dscp <classifier name> forwarding-class <req’d forwarding class name> loss-priority <low|high> code-points <DSCP code point> (optional - only if multiple DSCP values are used) user@host# set class-of-service interfaces <interface name> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <interface name> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service interfaces <uplink interface> scheduler-map <scheduler map name> user@host# set class-of-service interfaces <uplink interface> unit <unit number> classifiers dscp <classifier name> user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class besteffort scheduler <scheduler name> (e.g., be-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class <req’d forwarding class> scheduler <scheduler name> (e.g., ef-scheduler) user@host# set class-of-service scheduler-maps <scheduler map name> forwarding-class networkcontrol scheduler <scheduler name> (e.g. nc-scheduler) user@host# set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> | percent (0..100) | remainder) user@host# set class-of-service schedulers <be-scheduler name> priority (high | low | medium-high | medium-low | strict-high) user@host# set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <ef-scheduler name> priority (high | low | medium-high | medium-low | strict-high) user@host# set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100) user@host# set class-of-service schedulers <nc-scheduler name> priority (high | low | medium-high | medium-low | strict-high) user@host# commit

Additional Identifiers

Rule ID: SV-253951r1028750_rule

Vulnerability ID: V-253951

Group Title: SRG-NET-000193-L2S-000020

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001095

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service attacks.
CCI-004866

Employ organization-defined controls by type of denial-of-service to achieve the denial-of-service objective.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5(2)

Excess Capacity / Bandwidth / Redundancy