An error occurred:

Check: JUEX-L2-000130

Juniper EX Series Switches Layer 2 Switch STIG: JUEX-L2-000130 (in versions v1 r2 through v1 r1)

Title

The Juniper EX switch must be configured to enable IP Source Guard on all user-facing or untrusted access VLANs. (Cat II impact)

Discussion

IP Source Guard provides source IP address filtering on an untrusted layer 2 interface to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted layer 2 access interfaces. Initially, all IP traffic on the protected interface is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.

Check Content

Review the switch configuration to verify that IP Source Guard is enabled on all user-facing or untrusted VLANs. Configuring IP Source Guard automatically enables DHCP snooping. Devices like printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in non-user-facing VLANs. Verify IP Source Guard on user-facing or untrusted VLANs. [edit vlans] <untrusted VLAN name> { vlan-id <VLAN ID>; forwarding-options { dhcp-security { ip-source-guard; } } } Note: IP Source Guard depends upon DHCP snooping or static MAC address bindings. If the switch does not have IP Source Guard enabled on all user-facing or untrusted VLANs, this is a finding.

Fix Text

Configure the switch to have IP Source Guard enabled on all user-facing or untrusted VLANs. set vlans <untrusted VLAN name> vlan-id <VLAN ID> set vlans <untrusted VLAN name> forwarding-options dhcp-security ip-source-guard

Additional Identifiers

Rule ID: SV-253960r843913_rule

Vulnerability ID: V-253960

Group Title: SRG-NET-000362-L2S-000026

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-24 (2)

No User Or Process Identity
SC-5

Denial Of Service Protection