An error occurred:

Check: JUEX-RT-000780

Juniper EX Series Switches Router STIG: JUEX-RT-000780 (in versions v1 r3 through v1 r1)

Title

The Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join only multicast groups that have been approved by the organization. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone downloading a file here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.

Check Content

Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages, allowing hosts to join only those groups that have been approved. Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. This requirement is not applicable to Any Source Multicast (ASM) since the filtering is being performed by the Rendezvous Point router. [edit policy-options] policy-statement <name> { term unauth-groups { from { route-filter 224.0.1.2/32 exact; route-filter 224.0.2.2/32 exact; } then reject; } term allow-others { then accept; } } policy-statement <name IPv6> { term unauth-groups { from { route-filter fec0:1:1:4::/64 exact; } then reject; } term allow-others { then accept; } } [edit protocols] igmp { interface <name>.<logical unit> { group-policy <policy name>; } } mld { interface <name>.<logical unit> { group-policy <policy name IPv6>; } } If the DR is not filtering IGMP or MLD report messages, this is a finding.

Fix Text

Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups that have been approved. set policy-options policy-statement <name> term unauth-groups from route-filter 224.0.1.2/32 exact set policy-options policy-statement <name> term unauth-groups from route-filter 224.0.2.2/32 exact set policy-options policy-statement <name> term unauth-groups then reject set policy-options policy-statement <name> term accept-others then accept set policy-options policy-statement <name IPv6> term unauth-groups from route-filter fec0:1:1:4::/64 exact set policy-options policy-statement <name IPv6> term unauth-groups then reject set policy-options policy-statement <name IPv6> term accept-others then accept set protocols igmp interface <name>.<logical unit> group-policy <policy name> set protocols mld interface <name>.<logical unit> group-policy <policy name IPv6>

Additional Identifiers

Rule ID: SV-254050r844262_rule

Vulnerability ID: V-254050

Group Title: SRG-NET-000364-RTR-000114

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002373

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
CCI-002403

The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
RA-5 (3)

Breadth / Depth Of Coverage
SC-7 (11)

Restrict Incoming Communications Traffic