An error occurred:

Check: JUEX-RT-000790

Juniper EX Series Switches Router STIG: JUEX-RT-000790 (in versions v1 r3 through v1 r1)

Title

The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. (Cat II impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone downloading a file here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.

Check Content

Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to only join multicast groups from sources that have been approved. Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. [edit policy-options] policy-statement <name> { term unauth-sources { from { source-address-filter <IPv4 address>/<mask> orlonger; } then reject; } term allow-others { then accept; } } policy-statement <name IPv6> { term unauth-sources { from { source-address-filter <IPv6 address>/<prefix> orlonger; } then reject; } term allow-others { then accept; } } [edit protocols] igmp { interface <name>/<logical unit> { group-policy <policy name>; } } mld { interface <name>/<logical unit> { group-policy <policy name IPv6>; } } If the DR is not filtering IGMP or MLD report messages, this is a finding.

Fix Text

Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups from sources that have been approved. set policy-options policy-statement <name> term unauth-sources from source-address-filter <IPv4 address>/<mask> orlonger set policy-options policy-statement <name> term unauth-sources then reject set policy-options policy-statement <name> term accept-others then accept set policy-options policy-statement <name IPv6> term unauth-sources from source-address-filter <IPv6 address>/<prefix> orlonger set policy-options policy-statement <name IPv6> term unauth-sources then reject set policy-options policy-statement <name IPv6> term accept-others then accept set protocols igmp interface <name>.<logical unit> group-policy <policy name> set protocols mld interface <name>.<logical unit> group-policy <policy name IPv6>

Additional Identifiers

Rule ID: SV-254051r844263_rule

Vulnerability ID: V-254051

Group Title: SRG-NET-000364-RTR-000115

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002373

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
CCI-002403

The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
RA-5 (3)

Breadth / Depth Of Coverage
SC-7 (11)

Restrict Incoming Communications Traffic