UCF STIG Viewer Logo

Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide


Overview

Date Finding Count (25)
2022-08-31 CAT I (High): 2 CAT II (Med): 19 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-253948 High The Juniper EX switch must be configured to disable non-essential capabilities.
V-253949 High The Juniper EX switch must be configured to uniquely identify all network-connected endpoint devices before establishing any connection.
V-253954 Medium The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
V-253960 Medium The Juniper EX switch must be configured to enable IP Source Guard on all user-facing or untrusted access VLANs.
V-253961 Medium The Juniper EX switch must be configured to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on all user VLANs.
V-253964 Medium If STP is used, the Juniper EX switch must be configured to implement Rapid STP, or Multiple STP, where VLANs span multiple switches with redundant links.
V-253965 Medium The Juniper EX switch must be configured to verify two-way connectivity on all interswitch trunked interfaces.
V-253968 Medium The Juniper EX switch must be configured to prune the default VLAN from all trunked interfaces that do not require it.
V-253969 Medium The Juniper EX switch must not use the default VLAN for management traffic.
V-253966 Medium The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.
V-253967 Medium The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.
V-253971 Medium The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.
V-253970 Medium The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces.
V-253959 Medium The Juniper EX switch must be configured to enable DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.
V-253958 Medium The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces.
V-253957 Medium The Juniper EX switch must be configured to enable STP Loop Protection on all non-designated STP switch ports.
V-253956 Medium The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports.
V-253953 Medium The Juniper EX switch must be configured to permit authorized users to remotely view, in real time, all content related to an established user session from a component separate from the layer 2 switch.
V-253952 Medium The Juniper EX switch must be configured to permit authorized users to select a user session to capture.
V-253951 Medium The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.
V-253950 Medium The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.
V-253962 Low The Juniper EX switch must be configured to enable Storm Control on all host-facing access interfaces.
V-253963 Low The Juniper EX switch must be configured to enable IGMP or MLD Snooping on all VLANs.
V-253955 Low The Juniper EX switch must be configured to enable Root Protection on all interfaces connecting to access layer switches and hosts.
V-253972 Low The Juniper EX switch must not have any access interfaces assigned to a VLAN configured as native for any trunked interface.