Title

The Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an approved gateway service provider. (Cat I impact)

Discussion

Internet service providers (ISPs) use BGP to share route information with other autonomous systems (i.e., other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP, thereby creating a backdoor connection from the internet to the NIPRNet.

Check Content

This requirement is not applicable for the DODIN backbone. Review the protocols hierarchy in the router configuration (see example below) and verify no BGP neighbors are configured to a peer AS that belongs to the approved gateway service provider. protocols { bgp { group AS_2 { type external; peer-as 2; neighbor x.x.x.x { authentication-algorithm hmac-sha-1-96; authentication-key-chain BGP_KEY; } neighbor x.x.x.x { authentication-algorithm hmac-sha-1-96; authentication-key-chain BGP_KEY; } } } If BGP neighbors are connecting to a peer AS of the approved gateway service provider, this is a finding.

Fix Text

This requirement is not applicable for the DODIN backbone. Configure a static route on the perimeter router to reach the AS of a router connecting to an approved gateway as shown in the example below. [edit routing-options] set static route 0.0.0.0/0 next-hop x.x.x.x

Additional Identifiers

Rule ID: SV-217034r1050849_rule

Vulnerability ID: V-217034

Group Title: SRG-NET-000019-RTR-000009

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.