Detections
Analytics
JUEX-RT-000630 - The Juniper router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
Information
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Disable ICMP mask replies on all external interfaces.set policy-options prefix-list router-addresses-ipv4 <external interface address>/32
set policy-options prefix-list router-addresses-ipv4 <internal subnet>/<mask>
set firewall family inet filter <name> term 1 from source-prefix-list router-address-ipv4
set firewall family inet filter <name> term 1 from protocol icmp
set firewall family inet filter <name> term 1 from icmp-type mask-reply
set firewall family inet filter <name> term 1 then log
set firewall family inet filter <name> term 1 then syslog
set firewall family inet filter <name> term 1 then discard
<additional terms>
set firewall family inet filter <name> term default then log
set firewall family inet filter <name> term default then syslog
set firewall family inet filter <name> term default then discard
set interfaces <interface name> unit <number> family inet filter output <filter name>
set interfaces <interface name> unit <number> family inet address <IPv4 address>.<mask>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v2r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-254035r844138_rule, STIG-ID|JUEX-RT-000630, Vuln-ID|V-254035
Plugin: Juniper
Control ID: fd548498927761c35fe02eac4e9de57fd59014d77f7eafa7d1676d59a75eb2f5