JUEX-L2-000230 - The Juniper EX switch must be configured to set all enabled user-facing or untrusted ports as access interfaces.

Information

By default, unconfigured (or expressly disabled) Junos interfaces are unusable. Any enabled interface configured with the family ethernet-switching uses interface-mode access by default, which meets this requirement. Trunked interfaces must be explicitly configured for operational requirements (e.g., interswitch links), which makes them trusted and not user-facing.

Configuring enabled user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic.

Access interfaces also behave differently than trunked interfaces, especially with respect to control plane traffic. For example, access interfaces can be marked as 'edge' for protocols like Rapid Spanning Tree (RSTP) or Multiple Spanning Tree (MSTP) where specific protections can be applied to prevent the switch from accepting Bridge Protocol Data Units (BPDU) from unauthorized sources and causing a network topology change or disruption. Additionally, network level protection mechanisms, like 802.1x or sticky-mac, are applied to access interfaces and these protection mechanisms help prevent unauthorized network access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Disable trunking on all enabled user-facing or untrusted access interfaces.

Delete 'interface-mode' from an enabled user-facing or untrusted interface to inherit the default access mode.
user@host> configure
user@host# delete interfaces <interface name> unit 0 family ethernet-switching interface-mode

Alternatively, explicitly set the enabled user-facing or untrusted interface mode to access.
user@host> configure
user@host# set interfaces <interface name> unit 0 family ethernet-switching interface-mode access

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y25M04_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-253970r1082976_rule, STIG-ID|JUEX-L2-000230, Vuln-ID|V-253970

Plugin: Juniper

Control ID: 31014a88d7e11f5f2fb2d0c790581640b6dc6697c44d5793aab5a6d704ad998c