Title

The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces. (Cat II impact)

Discussion

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

Check Content

Review the firewall hierarchy configuration to verify that all packets that are not permitted are silently dropped using the discard parameter as shown in the configuration example below. firewall { family inet { … … … } filter FILTER_INBOUND { term ALLOW_XYZ { from { protocol xyz; } then accept; } … … … } term DENY_BY_DEFAULT { then { log; discard; } } } } If ICMP unreachable notifications are sent for packets that are dropped, this is a finding.

Fix Text

[edit firewall family inet] set filter FILTER_INBOUND term DENY_BY_DEFAULT then log discard

Additional Identifiers

Rule ID: SV-217022r604135_rule

Vulnerability ID: V-217022

Group Title: SRG-NET-000362-RTR-000113

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.