An error occurred:

Check: JUEX-RT-000180

Juniper EX Series Switches Router STIG: JUEX-RT-000180 (in versions v1 r3 through v1 r1)

Title

The Juniper perimeter router must not be configured to be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider. (Cat I impact)

Discussion

ISPs use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP; thereby creating a backdoor connection from the internet to the NIPRNet.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the configuration of the router connecting to the alternate gateway. Review the [edit protocols bgp] hierarchy and verify there are no BGP neighbors configured to the remote AS that belongs to the alternate gateway service provider. For example: [edit protocols bgp] group eBGP { type external; peer-as 2; neighbor <address-1> { <bgp neighbor configuration>; } neighbor <address-2> { <bgp neighbor configuration>; } } Note: Neither neighbor can belong to a peer AS belonging to the alternate gateway service provider. Verify static routing to the peer AS belonging to the alternate gateway service provider. For example: [edit routing-options] rib inet6.0 { static { route <peer AS IPv6 subnet>/<prefix> next-hop <peer AS router>; } } static { route <peer AS IPv4 subnet>/<mask> next-hop <peer AS router>; } If there are BGP neighbors connecting the remote AS of the alternate gateway service provider, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Remove BGP neighbors belonging to the alternate gateway service provider. delete protocols bgp group <name> neighbor <peer AS belonging to alternate gateway service provider> Configure a static route on the perimeter router to reach the AS of a router connecting to an alternate gateway. set routing-options rib inet6.0 static route <IPv6 subnet>/<prefix> next-hop <peer AS router> set routing-options static route <IPv4 subnet>/<mask> next-hop <peer AS router>

Additional Identifiers

Rule ID: SV-253990r844003_rule

Vulnerability ID: V-253990

Group Title: SRG-NET-000019-RTR-000009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement