Detections
Analytics
JUEX-RT-000800 - The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.
Information
MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Ensure the receive path or interface filter for all MSDP routers only accepts MSDP packets from known MSDP peers.set firewall family inet filter <name> term 1 from source-prefix-list msdp-peers
set firewall family inet filter <name> term 1 from protocol tcp
set firewall family inet filter <name> term 1 from destination-port msdp
set firewall family inet filter <name> term 1 then accept
set firewall family inet filter <name> term 2 from source-prefix-list msdp-peers
set firewall family inet filter <name> term 2 from protocol tcp
set firewall family inet filter <name> term 2 from source-port msdp
set firewall family inet filter <name> term 2 then accept
<additional terms>
set firewall family inet filter <name> term default then syslog
set firewall family inet filter <name> term default then discard
set firewall family inet6 filter <name> term 1 from source-prefix-list msdp-peers-ipv6
set firewall family inet6 filter <name> term 1 from next-header tcp
set firewall family inet6 filter <name> term 1 from destination-port msdp
set firewall family inet6 filter <name> term 1 then accept
set firewall family inet6 filter <name> term 2 from source-prefix-list msdp-peers-ipv6
set firewall family inet6 filter <name> term 2 from next-header tcp
set firewall family inet6 filter <name> term 2 from source-port msdp
set firewall family inet6 filter <name> term 2 then accept
<additional terms>
set firewall family inet6 filter <name> term default then syslog
set firewall family inet6 filter <name> term default then discard
set interfaces <external interface> unit <number> family inet filter input <IPv4 filter name>
set interfaces <external interface> unit <number> family inet address <IPv4 address>/<mask>
set interfaces <external interface> unit <number> family inet6 filter input <IPv6 filter name>
set interfaces <external interface> unit <number> family inet6 address <IPv6 address>/<prefix>
set interfaces lo0 unit <number> family inet filter input <IPv4 filter name>
set interfaces lo0 unit <number> family inet address <IPv4 address>/32
set interfaces lo0 unit <number> family inet6 filter input <IPv6 filter name>
set interfaces lo0 unit <number> family inet6 address <IPv6 address>/128
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y23M07_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v1r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7(11), CAT|II, CCI|CCI-002403, Rule-ID|SV-254052r844189_rule, STIG-ID|JUEX-RT-000800, Vuln-ID|V-254052
Plugin: Juniper
Control ID: de7db6799448a9411c613fdbf8aa201a318a34ad33cee78765c77bfbfa90d251