Check: JUEX-RT-000600
Juniper EX Series Switches Router STIG:
JUEX-RT-000600
(in versions v1 r3 through v1 r1)
Title
The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces. (Cat II impact)
Discussion
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction.
Check Content
Review the configuration to determine if gratuitous ARP is disabled on all external interfaces. [edit interfaces] <external interface> { no-gratuitous-arp-reply; no-gratuitous-arp-request; unit <number> { family inet { address <IPv4 address>/<mask>; } family inet6 { address <IPv6 address>/<mask>; } } } If gratuitous ARP is enabled on any external interface, this is a finding.
Fix Text
Disable gratuitous ARP on all external interfaces. set interfaces <external interface> no-gratuitous-arp-reply set interfaces <external interface> no-gratuitous-arp-request set interfaces <external interface> unit <number> family inet address <IPv4 address>/<mask> set interfaces <external interface> unit <number> family inet6 address <IPv6 address>/<prefix>
Additional Identifiers
Rule ID: SV-254032r844129_rule
Vulnerability ID: V-254032
Group Title: SRG-NET-000362-RTR-000111
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |