An error occurred:

Check: JUNI-RT-000490

Juniper Router RTR STIG: JUNI-RT-000490 (in versions v2 r4 through v1 r0.1)

Title

The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS). (Cat II impact)

Discussion

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.

Check Content

Review the router configuration to verify that it will reject routes belonging to the local AS. Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below. policy-options { … … … prefix-list OUR_PREFIXES { x.x.x.x/16; } Verify that a policy has been configured to reject the local prefixes. policy-options { … … … policy-statement FILTER_ROUTES { term REJECT_BOGONS { from { prefix-list BOGON_PREFIXES; } then reject; } term REJECT_OUR_PREFIXES { from { prefix-list OUR_PREFIXES; } then reject; } term ACCEPT_OTHER { then accept; } } } Verify that the configured policy to filter local prefixes has been applied to external BGP peers as shown in the example below. protocols { bgp { group GROUP_AS4 { type external; import FILTER_ROUTES; peer-as 4; neighbor x.x.x.x; } } If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text

Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS. Configure a prefix list containing prefixes belonging to the local autonomous system. [edit policy-options] set prefix-list OUR_PREFIXES x.x.x.x/16 Configure a policy-statement to reject prefixes belonging to the local autonomous system. This can be done by adding a term to the existing policy to filter Bogons as shown in the example below. [edit policy-options policy-statement FILTER_ROUTES] set term REJECT_OUR_PREFIXES from prefix-list OUR_PREFIXES set term REJECT_OUR_PREFIXES then reject insert term REJECT_OUR_PREFIXES before term ACCEPT_OTHER Note: There is no need change the BGP configuration assuming the import statement is already configured for all external neighbors.

Additional Identifiers

Rule ID: SV-217054r604135_rule

Vulnerability ID: V-217054

Group Title: SRG-NET-000018-RTR-000003

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement