Title

The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces. (Cat II impact)

Discussion

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.

Check Content

JUNOS has no interface command to not reply to an ICMP Mask Request message destined to the router. Consequently, to ensure that the router does not send any ICMP Mask Reply message in response to an ICMP Mask Request, include a term statement in the routing engine filter to silently drop any ICMP Masks Requests sent to it as shown in the example below. firewall { family inet { … … … } filter DESTINED_TO_RE { term ALLOW_XYZ { from { protocol xyz; } then accept; } … … … } term DENY_MASK_REQUEST { from { protocol icmp; icmp-type mask-request; } then { discard; } } term ICMP_ANY { from { protocol icmp; } then accept; } term DENY_BY_DEFAULT { then { log; discard; } } } } If the router is not configured to silently drop all ICMP Mask Reply messages destined to the router, this is a finding.

Fix Text

Configure the filter protecting the routing engine to silently drop all ICMP Mask Request messages destined to the router. [edit firewall family inet filter DESTINED_TO_RP] set term DENY_MASK_REQUEST from protocol icmp icmp-type mask-request insert term DENY_MASK_REQUEST before term ALLOW_ICMP

Additional Identifiers

Rule ID: SV-217023r604135_rule

Vulnerability ID: V-217023

Group Title: SRG-NET-000362-RTR-000114

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.