An error occurred:

Check: JUEX-RT-000160

Juniper EX Series Switches Router STIG: JUEX-RT-000160 (in versions v1 r3 through v1 r1)

Title

The Juniper router must be configured to have all inactive interfaces disabled. (Cat III impact)

Discussion

An inactive interface is rarely monitored or controlled and may expose a network to an undetected attack on that interface. Unauthorized personnel with access to the communication facility could gain access to a router by connecting to a configured interface that is not in use. If an interface is no longer used, the configuration must be deleted and the interface disabled. For logical interfaces, delete those that are on inactive interfaces and delete logical interfaces that are themselves inactive. If the logical interface is no longer necessary for authorized communications, it must be deleted.

Check Content

Review the router configuration and verify unused interfaces are not configured (implicitly disabled) or are explicitly disabled. If explicitly disabling interfaces, verify multiple interfaces are disabled with the "interface-range" command or separately at each interface declaration. [edit interfaces] interface-range DISABLED_INTERFACES { member <interface name>; member-range <first interface> to <last interface>; disable; } <interface name> { disable; } Note: Individually disabled interfaces should not be included in any "interface-range" stanza. The "member-range" directive assigns the configured parameter(s) to contiguously numbered interfaces. Junos lists interfaces in order so a "missing" interface is not enabled. For instance, if ge-0/0/0 and ge-0/0/2 are configured, but there is no individual ge-0/0/1 stanza and that interface is not a member of an interface-range, then ge-0/0/1 is implicitly disabled. If an interface is not being used but is configured or enabled, this is a finding.

Fix Text

Disable inactive interfaces. delete interfaces <interface name> -or- set interfaces <interface name> disable -or- set interfaces interface-range DISABLED_INTERFACES member <interface name> set interfaces interface-range DISABLED_INTERFACES member-range <first interface name> to <last interface name> set interfaces interface-range DISABLED_INTERFACES disable

Additional Identifiers

Rule ID: SV-253988r843997_rule

Vulnerability ID: V-253988

Group Title: SRG-NET-000019-RTR-000007

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement