Detections
Analytics
JUSX-AG-000132 - The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.
Information
Providing too much information in error messages risks compromising the data and security of the application and system.Organizations carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes ICMP messages that reveal the use of firewalls or access-control lists.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure ICMP to meet DoD requirements. The following is an example which uses the filter name 'protect_re' as the filter name with pre-configured address books (source-prefix-lists).[edit]
set firewall family inet filter protect_re term permit-icmp from source-prefix-list ssh-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list bgp-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list loopback-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list local-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list ixiav4
set firewall family inet filter protect_re term permit-icmp from icmp-type echo-request
set firewall family inet filter protect_re term permit-icmp from icmp-type echo-reply
set firewall family inet filter protect_re term permit-icmp then log
set firewall family inet filter protect_re term permit-icmp then syslog
set firewall family inet filter protect_re term permit-icmp then accept
set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighboradvertisement
set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighborsolicit
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighboradvertisement
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighborsolicit
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type 134
set firewall family inet6 filter ingress-v6 term permit-ar then accept
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighboradvertisement
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighbor-solicit
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type 134
set firewall family inet6 filter egress-v6 term permit-lr then accept
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y22M10_STIG.zip
Item Details
Audit Name: DISA Juniper SRX Services Gateway ALG v2r1
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-11a., CAT|II, CCI|CCI-001312, Rule-ID|SV-214536r557389_rule, STIG-ID|JUSX-AG-000132, STIG-Legacy|SV-80827, STIG-Legacy|V-66337, Vuln-ID|V-214536
Plugin: Juniper
Control ID: d5894a4979091930781c432eb444041a5056f24825a0b02732d584fa92a37031