Detections
Analytics
JUNI-RT-000280 - The Juniper perimeter router must be configured to protect an enclave connected to an approved gateway by using an inbound filter that only permits packets with destination addresses within the site's address space.
Information
Enclaves with approved gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate gateway, the perimeter router could be routing transit data from the internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack and provide a back door into the NIPRNet. The DOD enclave must ensure the ingress filter applied to external interfaces on a perimeter router connecting to an approved gateway is secure through filters permitting packets with a destination address belonging to the DOD enclave's address block.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN backbone.Configure the ingress filter of the perimeter router connected to an approved gateway to only permit packets with destination addresses of the site's NIPRNet address space or a destination address belonging to the address block assigned by the approved gateway network service provider as shown in the example below.
[edit firewall family inet filter ISP_FILTER]
set term RESTRICT_DESTINATION from destination-address 0.0.0.0/0
set term RESTRICT_DESTINATION from destination-address 11.1.0.0/16 except
set term RESTRICT_DESTINATION then syslog discard
insert term RESTRICT_DESTINATION before term ALLOW_XYZ
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y25M01_STIG.zip
Item Details
Audit Name: DISA STIG Juniper Router RTR v3r2
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|I, CCI|CCI-001414, Rule-ID|SV-217033r1050846_rule, STIG-ID|JUNI-RT-000280, STIG-Legacy|SV-101061, STIG-Legacy|V-90851, Vuln-ID|V-217033
Plugin: Juniper
Control ID: 5f70d66086f3b085edd7983930ab8ac29169357a5d818ea476912476f765d215