An error occurred:

Check: JUNI-RT-000410

Juniper Router RTR STIG: JUNI-RT-000410 (in versions v2 r4 through v1 r0.1)

Title

The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network. (Cat II impact)

Discussion

If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate Interior Gateway Protocol routing instances is critical on the router to segregate traffic from each network.

Check Content

This requirement is not applicable for the DoDIN Backbone. Verify that the OOBM interface is an adjacency in the IGP domain for the management network via separate VRF as shown in the example below. } protocols { ospf { area 0.0.0.0 { interface ge-2/0/0; interface ge-2/1/0; } } } routing-instances { VRF_MGMT { instance-type vrf; interface ge-1/0/0; interface ge-1/1/0; route-distinguisher 10.1.12.0:12; vrf-target { import target:1234:4567; export target:1234:4567; } routing-options { router-id 11.11.11.11; } protocols { ospf { area 0.0.0.0 { interface ge-1/0/0; interface ge-1/1/0; } } } } } If the router is not configured to have separate IGP instances for the managed network and management network, this is a finding.

Fix Text

This requirement is not applicable for the DoDIN Backbone. Configure the router to have a separate IGP instance for the management network as shown in the example below. [edit routing-instances] set VRF_MGMT instance-type vrf set VRF_MGMT route-distinguisher 10.1.12.0:12 set VRF_MGMT vrf-target import target:1234:4567 set VRF_MGMT vrf-target export target:1234:4567 set VRF_MGMT interface ge-1/0/0 set VRF_MGMT interface ge-1/1/0 set VRF_MGMT protocols ospf area 0.0.0.0 interface ge-1/0/0 set VRF_MGMT protocols ospf area 0.0.0.0 interface ge-1/1/0 set VRF_MGMT routing-options router-id 11.11.11.11

Additional Identifiers

Rule ID: SV-217046r604135_rule

Vulnerability ID: V-217046

Group Title: SRG-NET-000019-RTR-000011

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement