An error occurred:

Check: JUNI-RT-000890

Juniper Router RTR STIG: JUNI-RT-000890 (in versions v2 r4 through v1 r0.1)

Title

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers. (Cat II impact)

Discussion

MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.

Check Content

Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. Verify that the loopback has been configured to filter packets destined to the routing engine as shown in the example below. interfaces { … … … } lo0 { unit 0 { family inet { filter { input PROTECT_RE; } address 2.2.2.2/32; } } } } Verify that the filter is configured to only accept MSDP packets from known MSDP peers as shown in the example below. firewall { family inet { filter PROTECT_RE { term MSDP_PEERS { from { source-address { 0.0.0.0/0; 1.1.1.1/32 except; 5.5.5.5/32 except; } protocol tcp; port msdp; } then { discard; } } term ALLOW_OTHER { then accept; } } } } If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Fix Text

Configure the receive path filter to only accept MSDP packets from known MSDP peers as shown in the following example: [edit firewall family inet filter PROTECT_RE] set term MSDP_PEERS from protocol tcp port msdp set term MSDP_PEERS from source-address 0.0.0.0/0 set term MSDP_PEERS from source-address 1.1.1.1/32 except set term MSDP_PEERS from source-address 5.5.5.5/32 except set term MSDP_PEERS then discard set term ALLOW_OTHER then accept Apply the filter to the loopback interface. [edit interfaces lo0 unit 0 family inet] set filter input PROTECT_RE

Additional Identifiers

Rule ID: SV-217093r604135_rule

Vulnerability ID: V-217093

Group Title: SRG-NET-000364-RTR-000116

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7 (11)

Restrict Incoming Communications Traffic