Detections
Analytics

JUEX-RT-000230 - The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.

Information

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.

set policy-options policy-statement <name> term filter_groups from route-filter <multicast address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_groups from route-filter <additional multicast address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_groups then reject

set policy-options policy-statement <name> term filter_source from source-address-filter <source address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_source from source-address-filter <additional source address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_source then reject

set policy-options policy-statement <name> term accept_others then accept

set protocols pim import <policy name>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-253995r844018_rule, STIG-ID|JUEX-RT-000230, Vuln-ID|V-253995

Plugin: Juniper

Control ID: 4c2209e8cdce2625b110040ff5eda2fb1d964d0bbcef0e3dfeeac8fb18ba8b18