Detections
Analytics
JUNI-RT-000440 - The Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface - Inbound
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The OOBM access switch will connect to the management interface of the managed network elements. The management interface can be a true OOBM interface or a standard interface functioning as the management interface. In either case, the management interface of the managed network element will be directly connected to the OOBM network.An OOBM interface does not forward transit traffic, thereby providing complete separation of production and management traffic. Since all management traffic is immediately forwarded into the management network, it is not exposed to possible tampering. The separation also ensures that congestion or failures in the managed network do not affect the management of the device. If the device does not have an OOBM port, the interface functioning as the management interface must be configured so that management traffic does not leak into the managed network and that production traffic does not leak into the management network.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
If the management interface is not a dedicated OOBM interface, it must be configured with both an ingress and egress filter.Configure an inbound filter a shown in the example below.
[edit firewall family inet]
set filter OOBM_INBOUND term ALLOW_SNMP from protocol udp port snmp
set filter OOBM_INBOUND term ALLOW_SNMP then accept
set filter OOBM_INBOUND term ALLOW_TACACS from protocol tcp port tacacs
set filter OOBM_INBOUND term ALLOW_TACACS then accept
set filter OOBM_INBOUND term ALLOW_SSH from protocol tcp port ssh
set filter OOBM_INBOUND term ALLOW_SSH then accept
set filter OOBM_INBOUND term ALLOW_NTP from protocol udp port ntp
set filter OOBM_INBOUND term ALLOW_NTP then accept
set filter OOBM_INBOUND term ALLOW_ICMP from protocol icmp
set filter OOBM_INBOUND term ALLOW_ICMP then accept
set filter OOBM_INBOUND term DENY_OTHER then syslog discard
Configure an outbound filter a shown in the example below.
set filter OOBM_OUTBOUND term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter OOBM_OUTBOUND term ALLOW_SNMP then accept
set filter OOBM_OUTBOUND term ALLOW_TACACS from protocol tcp port tacacs
set filter OOBM_OUTBOUND term ALLOW_TACACS then accept
set filter OOBM_OUTBOUND term ALLOW_SSH from protocol tcp port ssh
set filter OOBM_OUTBOUND term ALLOW_SSH then accept
set filter OOBM_OUTBOUND term ALLOW_NTP from protocol udp port ntp
set filter OOBM_OUTBOUND term ALLOW_NTP then accept
set filter OOBM_OUTBOUND term ALLOW_SYSLOG from protocol udp port
set filter OOBM_OUTBOUND term ALLOW_SYSLOG then accept
set filter OOBM_OUTBOUND term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter OOBM_OUTBOUND term ALLOW_NETFLOW then accept
set filter OOBM_OUTBOUND term DENY_OTHER then syslog discard
Apply the filters to the OOBM interfaces.
[edit interfaces ge-0/0/0 unit 0 family inet]
set filter input OOBM_INBOUND
set filter output OOBM_OUTBOUND
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y21M02_STIG.zip
Item Details
Audit Name: DISA STIG Juniper Router RTR v2r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7, CAT|II, CCI|CCI-001097, Rule-ID|SV-217049r639663_rule, STIG-ID|JUNI-RT-000440, STIG-Legacy|SV-101093, STIG-Legacy|V-90883, Vuln-ID|V-217049
Plugin: Juniper
Control ID: fdfd826e2c690b57657c1b3dec57991f67364122e03b2b4731aea740c324d206