Check: JUNI-RT-000890
Juniper Router RTR STIG:
JUNI-RT-000890
(in versions v3 r1 through v1 r0.1)
Title
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers. (Cat II impact)
Discussion
MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.
Check Content
Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. Verify that the loopback has been configured to filter packets destined to the routing engine as shown in the example below. interfaces { … … … } lo0 { unit 0 { family inet { filter { input PROTECT_RE; } address 2.2.2.2/32; } } } } Verify that the filter is configured to only accept MSDP packets from known MSDP peers as shown in the example below. firewall { family inet { filter PROTECT_RE { term MSDP_PEERS { from { source-address { 0.0.0.0/0; 1.1.1.1/32 except; 5.5.5.5/32 except; } protocol tcp; port msdp; } then { discard; } } term ALLOW_OTHER { then accept; } } } } If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.
Fix Text
Configure the receive path filter to only accept MSDP packets from known MSDP peers as shown in the following example: [edit firewall family inet filter PROTECT_RE] set term MSDP_PEERS from protocol tcp port msdp set term MSDP_PEERS from source-address 0.0.0.0/0 set term MSDP_PEERS from source-address 1.1.1.1/32 except set term MSDP_PEERS from source-address 5.5.5.5/32 except set term MSDP_PEERS then discard set term ALLOW_OTHER then accept Apply the filter to the loopback interface. [edit interfaces lo0 unit 0 family inet] set filter input PROTECT_RE
Additional Identifiers
Rule ID: SV-217093r855911_rule
Vulnerability ID: V-217093
Group Title: SRG-NET-000364-RTR-000116
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002403 |
Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Controls
Number | Title |
---|---|
SC-7(11) |
Restrict Incoming Communications Traffic |