An error occurred:

Check: JUNI-RT-000520

Juniper Router RTR STIG: JUNI-RT-000520 (in versions v2 r4 through v1 r0.1)

Title

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. (Cat II impact)

Discussion

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.

Check Content

Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below. policy-options { … … … prefix-list CORE_PREFIX { x.x.x.x/16; } Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below. policy-options { … … … policy-statement BGP_ADVERTISE_POLICY { term EXCLUDE_CORE { from { prefix-list CORE_PREFIX; } then reject; } term INCLUDE_OTHER { then accept; } } Verify that the export statement as shown below references the advertise policy. protocols { bgp { group AS4 { type external; export BGP_ADVERTISE_POLICY; peer-as 4; neighbor x.x.x.x; } If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.

Fix Text

Configure the router to filter outbound route advertisements belonging to the IP core. Configure a prefix list containing prefixes belonging to the IP core. [edit policy-options] set prefix-list CORE_PREFIX x.x.x.x/16 Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes. [edit policy-options] set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below. [edit protocols bgp group GROUP_AS4] set export BGP_ADVERTISE_POLICY

Additional Identifiers

Rule ID: SV-217057r604135_rule

Vulnerability ID: V-217057

Group Title: SRG-NET-000205-RTR-000006

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001097

The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7

Boundary Protection