JUEX-L2-000190 - The Juniper EX switch must be configured to assign all explicitly disabled access interfaces to an unused VLAN.

Information

It is possible that a configured, but disabled access interface assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result, gains access to that VLAN as a member. Unconfigured Junos interfaces are not capable of passing network traffic and do not participate in any user configured VLANs.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Disable all configured access interfaces not in use and assign to an inactive VLAN, or remove the interface configuration from the device. Switch ports configured for 802.1x are exempt from this requirement.

1. In this example, 'vlan_disabled' is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name.
Configure a range of interfaces.
user@host> configure
user@host# set vlans vlan_disabled vlan-id <VLAN ID>

user@host# set interfaces interface-range <name> member <interface name>
user@host# set interfaces interface-range <name> member-range <starting interface name> to <ending interface name>
user@host# set interfaces interface-range <name> disable
user@host# set interfaces interface-range <name> unit 0 family ethernet-switching vlan members vlan_disabled

2. Configure individual interfaces.
set interfaces <interface name> disable
set interfaces <interface name> unit 0 family ethernet-switching vlan members vlan_disabled

3. Delete the unused VLAN from all trunked interfaces.
user@host# delete interfaces <trunked interface> unit 0 family ethernet-switching vlan members vlan_disabled

4. Remove the access interface configuration from unused interfaces.
user@host# delete interfaces <interface name>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y25M04_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, CCI|CCI-004891, Rule-ID|SV-253966r1082973_rule, STIG-ID|JUEX-L2-000190, Vuln-ID|V-253966

Plugin: Juniper

Control ID: e78432bc1538fe0538ea8d0e130b3d834d0977a31d8a57125059aa20d6ead511