Check: JUNI-RT-000930
Juniper Router RTR STIG:
JUNI-RT-000930
(in versions v3 r1 through v1 r0.1)
Title
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis. (Cat III impact)
Discussion
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.
Check Content
Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. protocols { … … … } msdp { export SA_EXPORT; import SA_IMPORT; group AS25 { peer x.x.x.x { active-source-limit { maximum nnn; } If the router is not configured to limit the source-active messages it accepts, this is a finding.
Fix Text
Configure the router to limit the amount of source-active messages it accepts from each peer. [edit protocols msdp group AS25 peer x.x.x.x] set active-source-limit maximum nnn
Additional Identifiers
Rule ID: SV-217097r604135_rule
Vulnerability ID: V-217097
Group Title: SRG-NET-000018-RTR-000009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001368 |
Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |