Detections
Analytics

JUEX-RT-000220 - The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.

Information

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the RP router to filter PIM register messages received from a multicast DR for any undesirable multicast groups or sources.

set policy-options policy-statement <name> term filter_groups from route-filter <multicast address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_groups from route-filter <additional multicast address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_groups then reject

set policy-options policy-statement <name> term filter_source from source-address-filter <source address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_source from source-address-filter <additional source address>/<mask> <match criterion>
set policy-options policy-statement <name> term filter_source then reject

set policy-options policy-statement <name> term accept_others then accept

set protocols pim rp rp-register-policy <policy name>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-253994r844015_rule, STIG-ID|JUEX-RT-000220, Vuln-ID|V-253994

Plugin: Juniper

Control ID: 1db7233290fc8f9e17cb35c7e9d33fa75179992bc5bd138b3d3f0e236a672181