The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial of service (DoS) attacks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253951	JUEX-L2-000040	SV-253951r843886_rule		Medium

Description
Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

Description

Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).

STIG	Date
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57403r843884_chk )
Review the switch configuration to verify that QoS has been enabled to ensure that sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. By default, Junos implements a standard Class-of-Service (CoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify at least a third queue (Voice) is active with an appropriate bandwidth allocation. Verify Voice over Internet Protocol (VoIP) phones are connected to VoIP interfaces and there is a separate VoIP Virtual Local Area Network (VLAN). For example, assume 20 percent VoIP traffic on "voip" VLAN 119 and normal production traffic is on "data" VLAN 150. VoIP traffic will use Expedited-Forwarding (EF) and Differentiated Services Codepoint (DSCP) values 44 (101110) and 36 (100100). Verify the VoIP VLAN is available. [edit vlans] data { vlan-id 150; } voip { vlan-id 119; } Verify the interfaces with connected VoIP phones are configured. [edit interfaces] { unit { family ethernet-switching { vlan { members data; } } } } [edit switch-options] voip { interface . { vlan voip; forwarding-class (expedited-forwarding\|assured-forwarding); } } Note: The example forwarding class (FC) names (EF and AF spelled out above) are generally available on all switches. To use a custom FC name (e.g., "voip"), the default CoS must be modified. The only requirement is that the assigned FC must be available under [edit class-of-service]. Verify the CoS strategy includes support for the assigned VoIP VLAN. From the configured interface example above, assume "expedited-forwarding" using DSCP values 44 (101110) and 36 (100100) are used for VoIP traffic. Traffic must be classified (placed into forwarding classes / queues) on ingress and scheduled (shaped) on egress. [edit class-of-service] classifiers { dscp voip-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101110 100100 ]; } } } interfaces { { scheduler-map voip-map; unit { classifiers { dscp voip-classifier; } } } { scheduler-map voip-map; unit { classifiers { dscp voip-classifier; } } } scheduler-maps { voip-map { forwarding-class best-effort scheduler be-scheduler; forwarding-class expedited-forwarding scheduler ef-scheduler; forwarding-class network-control scheduler nc-scheduler; } } schedulers { be-scheduler { transmit-rate { remainder; } priority low; } ef-scheduler { shaping-rate percent 20; priority strict-high; } nc-scheduler { shaping-rate percent 5; priority strict-high; } } Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment. If the switch is not configured to implement a QoS policy, this is a finding.

Check Text ( C-57403r843884_chk )

Review the switch configuration to verify that QoS has been enabled to ensure that sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies.

By default, Junos implements a standard Class-of-Service (CoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify at least a third queue (Voice) is active with an appropriate bandwidth allocation. Verify Voice over Internet Protocol (VoIP) phones are connected to VoIP interfaces and there is a separate VoIP Virtual Local Area Network (VLAN).

For example, assume 20 percent VoIP traffic on "voip" VLAN 119 and normal production traffic is on "data" VLAN 150. VoIP traffic will use Expedited-Forwarding (EF) and Differentiated Services Codepoint (DSCP) values 44 (101110) and 36 (100100).

Verify the VoIP VLAN is available.
[edit vlans]
data {
vlan-id 150;
}
voip {
vlan-id 119;
}

Verify the interfaces with connected VoIP phones are configured.
[edit interfaces]
{
unit {
family ethernet-switching {
vlan {
members data;
}
}
}
}
[edit switch-options]
voip {
interface . {
vlan voip;
forwarding-class (expedited-forwarding|assured-forwarding);
}
}
Note: The example forwarding class (FC) names (EF and AF spelled out above) are generally available on all switches. To use a custom FC name (e.g., "voip"), the default CoS must be modified. The only requirement is that the assigned FC must be available under [edit class-of-service].

Verify the CoS strategy includes support for the assigned VoIP VLAN. From the configured interface example above, assume "expedited-forwarding" using DSCP values 44 (101110) and 36 (100100) are used for VoIP traffic. Traffic must be classified (placed into forwarding classes / queues) on ingress and scheduled (shaped) on egress.
[edit class-of-service]
classifiers {
dscp voip-classifier {
import default;
forwarding-class expedited-forwarding {
loss-priority low code-points [ 101110 100100 ];
}
}
}
interfaces {
{
scheduler-map voip-map;
unit {
classifiers {
dscp voip-classifier;
}
}
}
{
scheduler-map voip-map;
unit {
classifiers {
dscp voip-classifier;
}
}
}
scheduler-maps {
voip-map {
forwarding-class best-effort scheduler be-scheduler;
forwarding-class expedited-forwarding scheduler ef-scheduler;
forwarding-class network-control scheduler nc-scheduler;
}
}
schedulers {
be-scheduler {
transmit-rate {
remainder;
}
priority low;
}
ef-scheduler {
shaping-rate percent 20;
priority strict-high;
}
nc-scheduler {
shaping-rate percent 5;
priority strict-high;
}
}
Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment.

If the switch is not configured to implement a QoS policy, this is a finding.

Fix Text (F-57354r843885_fix)
Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. Configure the VLANs: set vlans vlan-id set vlans vlan-id Configure the VoIP interface(s): set interfaces unit 0 family ethernet-switching interface-mode access set interfaces unit 0 family ethernet-switching vlan members set switch-options voip interface .0 vlan set switch-options voip interface .0 forwarding-class Configure CoS: set class-of-service classifiers dscp import default set class-of-service classifiers dscp forwarding-class loss-priority low code-points set class-of-service classifiers dscp forwarding-class loss-priority low code-points (optional - only if multiple DSCP values are used) set class-of-service interfaces scheduler-map set class-of-service interfaces unit 0 classifiers dscp set class-of-service interfaces scheduler-map set class-of-service interfaces unit 0 classifiers dscp set class-of-service scheduler-maps forwarding-class best-effort scheduler (e.g. be-scheduler) set class-of-service scheduler-maps forwarding-class scheduler (e.g. ef-scheduler) set class-of-service scheduler-maps forwarding-class network-control scheduler (e.g. nc-scheduler) set class-of-service schedulers transmit-rate (exact \| percent (0..100) \| remainder) set class-of-service schedulers priority (high \| low \| medium-high \| medium-low \| strict-high) set class-of-service schedulers shaping-rate percent (0..100) set class-of-service schedulers priority (high \| low \| medium-high \| medium-low \| strict-high) set class-of-service schedulers shaping-rate percent (0..100) set class-of-service schedulers priority (high \| low \| medium-high \| medium-low \| strict-high) Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.

Fix Text (F-57354r843885_fix)

Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies.

Configure the VLANs:
set vlans vlan-id
set vlans vlan-id

Configure the VoIP interface(s):
set interfaces unit 0 family ethernet-switching interface-mode access
set interfaces unit 0 family ethernet-switching vlan members
set switch-options voip interface .0 vlan
set switch-options voip interface .0 forwarding-class

Configure CoS:
set class-of-service classifiers dscp import default
set class-of-service classifiers dscp forwarding-class loss-priority low code-points
set class-of-service classifiers dscp forwarding-class loss-priority low code-points (optional - only if multiple DSCP values are used)
set class-of-service interfaces scheduler-map
set class-of-service interfaces unit 0 classifiers dscp
set class-of-service interfaces scheduler-map
set class-of-service interfaces unit 0 classifiers dscp
set class-of-service scheduler-maps forwarding-class best-effort scheduler (e.g. be-scheduler)
set class-of-service scheduler-maps forwarding-class scheduler (e.g. ef-scheduler)
set class-of-service scheduler-maps forwarding-class network-control scheduler (e.g. nc-scheduler)
set class-of-service schedulers transmit-rate (exact | percent (0..100) | remainder)
set class-of-service schedulers priority (high | low | medium-high | medium-low | strict-high)
set class-of-service schedulers shaping-rate percent (0..100)
set class-of-service schedulers priority (high | low | medium-high | medium-low | strict-high)
set class-of-service schedulers shaping-rate percent (0..100)
set class-of-service schedulers priority (high | low | medium-high | medium-low | strict-high)

Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment.