Detections
Analytics

JUEX-L2-000040 - The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

Information

Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets.

Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies.

Configure the VLANs:
set vlans <data VLAN> vlan-id <data VLAN ID>
set vlans <VoIP VLAN> vlan-id <VoIP VLAN ID>

Configure the VoIP interface(s):
set interfaces <interface name> unit 0 family ethernet-switching interface-mode access
set interfaces <interface name> unit 0 family ethernet-switching vlan members <data VLAN>
set switch-options voip interface <interface name>.0 vlan <VoIP VLAN>
set switch-options voip interface <interface name>.0 forwarding-class <VoIP forwarding class>

Configure CoS:
set class-of-service classifiers dscp <VoIP classifier name> import default
set class-of-service classifiers dscp <VoIP classifier name> forwarding-class <VoIP forwarding class> loss-priority low code-points <DSCP code point>
set class-of-service classifiers dscp <VoIP classifier name> forwarding-class <VoIP forwarding class> loss-priority low code-points <DSCP code point> (optional - only if multiple DSCP values are used)
set class-of-service interfaces <VoIP interface> scheduler-map <VoIP scheduler map>
set class-of-service interfaces <VoIP interface> unit 0 classifiers dscp <VoIP classifier name>
set class-of-service interfaces <uplink interface> scheduler-map <VoIP scheduler map>
set class-of-service interfaces <uplink interface> unit 0 classifiers dscp <VoIP classifier name>
set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class best-effort scheduler <scheduler name> (e.g. be-scheduler)
set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class <VoIP forwarding class> scheduler <scheduler name> (e.g. ef-scheduler)
set class-of-service scheduler-maps <VoIP scheduler map> forwarding-class network-control scheduler <scheduler name> (e.g. nc-scheduler)
set class-of-service schedulers <be-scheduler name> transmit-rate (exact <value> | percent (0..100) | remainder)
set class-of-service schedulers <be-scheduler name> priority (high | low | medium-high | medium-low | strict-high)
set class-of-service schedulers <ef-scheduler name> shaping-rate percent (0..100)
set class-of-service schedulers <ef-scheduler name> priority (high | low | medium-high | medium-low | strict-high)
set class-of-service schedulers <nc-scheduler name> shaping-rate percent (0..100)
set class-of-service schedulers <nc-scheduler name> priority (high | low | medium-high | medium-low | strict-high)

Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y23M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, Rule-ID|SV-253951r843886_rule, STIG-ID|JUEX-L2-000040, Vuln-ID|V-253951

Plugin: Juniper

Control ID: 86ac1fa00c8d18c62b5cbffd9fe57ed85bd6c09a40df8ea2cba5a21c78e5b49e