Detections
Analytics
JUEX-RT-000500 - The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
Information
A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in 'botnets', which are a collection of compromised computers using malware to attack other computers or networks. DDoS attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN Backbone.Configure the router to ensure that an egress filter or uRPF is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.
set interfaces <internal interface name> unit <number> family inet rpf-check
set interfaces <internal interface name> unit <number> family inet6 rpf-check
For example, configure firewall filter and apply to internal interfaces:
set policy-options prefix-list internal-prefixes-ipv4 192.0.2.0/24
set policy-options prefix-list internal-prefixes-ipv6 2001:0:2::/64
set firewall family inet filter internal-inbound-ipv4 term 1 from source-prefix-list internal-prefixes-ipv4
set firewall family inet filter internal-inbound-ipv4 term 1 then accept
set firewall family inet filter internal-inbound-ipv4 term default then log
set firewall family inet filter internal-inbound-ipv4 term default then syslog
set firewall family inet filter internal-inbound-ipv4 term default then discard
set firewall family inet6 filter internal-inbound-ipv6 term 1 from source-prefix-list internal-prefixes-ipv6
set firewall family inet6 filter internal-inbound-ipv6 term 1 then accept
set firewall family inet6 filter internal-inbound-ipv6 term default then log
set firewall family inet6 filter internal-inbound-ipv6 term default then syslog
set firewall family inet6 filter internal-inbound-ipv6 term default then discard
set interfaces ge-0/0/0 unit 0 family inet filter input internal-inbound-ipv4
set interfaces ge-0/0/0 unit 0 family inet6 filter input internal-inbound-ipv6
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y23M07_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v1r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5(1), CAT|I, CCI|CCI-001094, Rule-ID|SV-254022r844099_rule, STIG-ID|JUEX-RT-000500, Vuln-ID|V-254022
Plugin: Juniper
Control ID: cc1cbc763adee68161cd33b5b36c0bfc88a8b79c5dfb32b716b56a66fc389fe1