Check: JUEX-RT-000640
Juniper EX Series Switches Router STIG:
JUEX-RT-000640
(in versions v1 r3 through v1 r1)
Title
The Juniper router must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces. (Cat II impact)
Discussion
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.
Check Content
Review the device configuration to determine if controls have been defined to ensure the router does not send ICMP Redirect messages out to any external interfaces. Verify the global "no-redirects" statement is enabled under [edit system] or that individual interface "no-redirects" statements are configured on external interfaces. [edit system] no-redirects; [edit interfaces] <external interface name> { unit <number> { family inet { no-redirects; address <IPv4 address>.<mask>; } family inet6 { no-redirects; address <IPv6 address>.<prefix>; } } } If ICMP Redirect messages are enabled on any external interfaces, this is a finding.
Fix Text
Disable ICMP redirects on all external interfaces. set system no-redirects set interfaces <external interface name> unit <number> family inet no-redirects set interfaces <external interface name> unit <number> family inet6 no-redirects
Additional Identifiers
Rule ID: SV-254036r844141_rule
Vulnerability ID: V-254036
Group Title: SRG-NET-000362-RTR-000115
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |