Detections
Analytics
JUEX-RT-000120 - The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
Information
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the router to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.set interfaces <interface name> unit <logical unit> family inet rpf-check
set interfaces <interface name> unit <logical unit> family inet filter input deny-prod-to-mgt
set interfaces <interface name> unit <logical unit> family inet6 rpf-check
set interfaces <interface name> unit <logical unit> family inet6 filter input deny-prod-to-mgt-v6
set firewall family inet filter deny-prod-to-mgt term 1 from source-address <production IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 1 from destination-address <MGT IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 1 then log
set firewall family inet filter deny-prod-to-mgt term 1 then syslog
set firewall family inet filter deny-prod-to-mgt term 1 then discard
set firewall family inet filter deny-prod-to-mgt term 2 from source-address <production IPv4 subnet/mask>
set firewall family inet filter deny-prod-to-mgt term 2 then accept
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from source-address <production IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from destination-address <MGT IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then log
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then syslog
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then discard
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 from source-address <production IPv6 subnet/prefix>
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 then accept
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M01_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v1r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|II, CCI|CCI-001414, Rule-ID|SV-253984r843985_rule, STIG-ID|JUEX-RT-000120, Vuln-ID|V-253984
Plugin: Juniper
Control ID: 5d390c753cde252a9ece57f6d770eab45815af285c9f6ca7ac42c03ad96ae3aa