Detections
Analytics

4.12.2 Ensure LLDP-MED is Disabled if not Required

Information

LLDP-MED should be disabled when not required

Rationale:

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral and widely supported standard used for network devices to advertise information about their capabilities, identity, software and management details to other network devices on the LAN. LLDP is specified in the IEEE 802.1AB-2005 standard.

Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP published by the Telecommunications Industry Association (TIA) in the ANSI/TIA-1057 standard. LLDP-MED is primarily used to enable Voice over IP (VoIP) services by adding additional Type-Length-Value (TLV) data structures to the existing LLDPDU Ethernet Frames sent by LLDP. This information may include:

Detailed information about Power Supply Type, Source and Priority (in the ext-power-via-mdi TLV)

The physical location of the endpoint (configured via Emergency Location Identification Number (ELIN) or Geographic Location, in the location-id TLV)

The Network Policy (VLAN configuration, DiffServ code points, in the network-policy TLV).

This information may be vital to provision of VoIP or other Media services, or when documenting/troubleshooting the network; but is also extremely useful to a potential attacker, either directly connected to the device or having compromised a neighbouring device.

To reduce the information given to a potential attacker, in high security environments LLDP-MED should be disabled where it is not absolutely required for normal operation. Like LLDP, LLDP-MED can either be disabled globally, or on a per interface basis (for example, leaving LLDP-MED enabled on access ports where it may be used for PoE or VoIP applications, but disabling it on infrastructure links or connections to untrusted networks).

LLDP-MED is not supported on all Junos device types, as it is primarily concerned with communication with VoIP Phones at the Access Layer. At present LLDP-MED is supported on:

EX Series Access Switches (2200, 2300, 3300, 3400, 4200, 4300) (LLDP-MED enabled for all ports by default)

Branch/Mid-Range and Virtual SRX Firewalls (SRX100-650, SRX1500, vSRX) (LLDP-MED disabled by default)

NFX150 Network Services Platform (Virtual CPE) (defaults not clear)

Impact:

LLDP-MED is commonly used to support VoIP devices - disabling LLDP or LLDP-MED for these interfaces may result in service disruption.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To turn off LLDP-MED globally for all interfaces, issue the following command from the [edit protocols] configuration hierarchy:

[edit protocols]
user@host# set lldp-med interface all disable

Sending of LLDPDUs will be disabled, while any other LLDP-MED related configuration will be retained (but ignored).
Alternatively, you may wish to disable LLDP on a per-interface basis by issuing the following command from the [edit protocols] configuration hierarchy:
To disable LLDP-MED for a specific interface, leaving LLDP-MED enabled for all others:

[edit protocols]
user@host# set lldp-med interface <interface name> disable

Or to disable LLDP-MED for all interfaces and allow only for specific ports:

[edit protocols]
user@host# set lldp-med interface all disable
user@host# set lldp-med interface <interface name>

This procedure should be repeated for all Routing Instances/Logical Systems where LLDP-MED is configured but not required.

Default Value:

LLDP-MED is enabled by default on EX Series switches and disabled by default on other supported platforms

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv7|9

Plugin: Juniper

Control ID: c634959f4e63fdb3ff766cdb0410e27b0284a6db2d126c8a3bd5fbf1e8fafeaf