Check: JUNI-RT-000410
Juniper Router RTR STIG:
JUNI-RT-000410
(in versions v3 r1 through v1 r0.1)
Title
The Juniper out-of-band management (OOBM) gateway router must be configured to have separate IGP instances for the managed network and management network. (Cat II impact)
Discussion
If the gateway router is not a dedicated device for the OOBM network, implementation of several safeguards for containment of management and production traffic boundaries must occur. Since the managed and management network are separate routing domains, configuration of separate Interior Gateway Protocol routing instances is critical on the router to segregate traffic from each network.
Check Content
This requirement is not applicable for the DoDIN Backbone. Verify that the OOBM interface is an adjacency in the IGP domain for the management network via separate VRF as shown in the example below. } protocols { ospf { area 0.0.0.0 { interface ge-2/0/0; interface ge-2/1/0; } } } routing-instances { VRF_MGMT { instance-type vrf; interface ge-1/0/0; interface ge-1/1/0; route-distinguisher 10.1.12.0:12; vrf-target { import target:1234:4567; export target:1234:4567; } routing-options { router-id 11.11.11.11; } protocols { ospf { area 0.0.0.0 { interface ge-1/0/0; interface ge-1/1/0; } } } } } If the router is not configured to have separate IGP instances for the managed network and management network, this is a finding.
Fix Text
This requirement is not applicable for the DoDIN Backbone. Configure the router to have a separate IGP instance for the management network as shown in the example below. [edit routing-instances] set VRF_MGMT instance-type vrf set VRF_MGMT route-distinguisher 10.1.12.0:12 set VRF_MGMT vrf-target import target:1234:4567 set VRF_MGMT vrf-target export target:1234:4567 set VRF_MGMT interface ge-1/0/0 set VRF_MGMT interface ge-1/1/0 set VRF_MGMT protocols ospf area 0.0.0.0 interface ge-1/0/0 set VRF_MGMT protocols ospf area 0.0.0.0 interface ge-1/1/0 set VRF_MGMT routing-options router-id 11.11.11.11
Additional Identifiers
Rule ID: SV-217046r604135_rule
Vulnerability ID: V-217046
Group Title: SRG-NET-000019-RTR-000011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001414 |
Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |