Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253951 | JUEX-L2-000040 | SV-253951r843886_rule | Medium |
Description |
---|
Denial of service is a condition when a resource is not available for legitimate users. Packet flooding DDoS attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch by using readily available tools such as Low Orbit Ion Cannon or by using botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages). |
STIG | Date |
---|---|
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide | 2022-08-31 |
Check Text ( C-57403r843884_chk ) |
---|
Review the switch configuration to verify that QoS has been enabled to ensure that sufficient capacity is available for mission-critical traffic such as voice and enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. By default, Junos implements a standard Class-of-Service (CoS) strategy. Although some devices implement different queues or queue numbers, generally there is at least a four-queue model with two active queues: 95 percent Best Effort (BE) and 5 percent Network Control (NC). Verify at least a third queue (Voice) is active with an appropriate bandwidth allocation. Verify Voice over Internet Protocol (VoIP) phones are connected to VoIP interfaces and there is a separate VoIP Virtual Local Area Network (VLAN). For example, assume 20 percent VoIP traffic on "voip" VLAN 119 and normal production traffic is on "data" VLAN 150. VoIP traffic will use Expedited-Forwarding (EF) and Differentiated Services Codepoint (DSCP) values 44 (101110) and 36 (100100). Verify the VoIP VLAN is available. [edit vlans] data { vlan-id 150; } voip { vlan-id 119; } Verify the interfaces with connected VoIP phones are configured. [edit interfaces] unit family ethernet-switching { vlan { members data; } } } } [edit switch-options] voip { interface vlan voip; forwarding-class (expedited-forwarding|assured-forwarding); } } Note: The example forwarding class (FC) names (EF and AF spelled out above) are generally available on all switches. To use a custom FC name (e.g., "voip"), the default CoS must be modified. The only requirement is that the assigned FC must be available under [edit class-of-service]. Verify the CoS strategy includes support for the assigned VoIP VLAN. From the configured interface example above, assume "expedited-forwarding" using DSCP values 44 (101110) and 36 (100100) are used for VoIP traffic. Traffic must be classified (placed into forwarding classes / queues) on ingress and scheduled (shaped) on egress. [edit class-of-service] classifiers { dscp voip-classifier { import default; forwarding-class expedited-forwarding { loss-priority low code-points [ 101110 100100 ]; } } } interfaces { scheduler-map voip-map; unit classifiers { dscp voip-classifier; } } } scheduler-map voip-map; unit classifiers { dscp voip-classifier; } } } scheduler-maps { voip-map { forwarding-class best-effort scheduler be-scheduler; forwarding-class expedited-forwarding scheduler ef-scheduler; forwarding-class network-control scheduler nc-scheduler; } } schedulers { be-scheduler { transmit-rate { remainder; } priority low; } ef-scheduler { shaping-rate percent 20; priority strict-high; } nc-scheduler { shaping-rate percent 5; priority strict-high; } } Note: The example CoS names, scheduler rates, and DSCP values must not be considered requirements. The names, rates, and values must be appropriately configured for the target environment. If the switch is not configured to implement a QoS policy, this is a finding. |
Fix Text (F-57354r843885_fix) |
---|
Implement a QoS policy for traffic prioritization and bandwidth reservation. This policy must enforce the traffic priorities specified by the Combatant Commanders/Services/Agencies. Configure the VLANs: set vlans vlan-id set vlans Configure the VoIP interface(s): set interfaces set interfaces set switch-options voip interface set switch-options voip interface Configure CoS: set class-of-service classifiers dscp set class-of-service classifiers dscp set class-of-service classifiers dscp set class-of-service interfaces set class-of-service interfaces set class-of-service interfaces set class-of-service interfaces set class-of-service scheduler-maps set class-of-service scheduler-maps set class-of-service scheduler-maps set class-of-service schedulers set class-of-service schedulers set class-of-service schedulers set class-of-service schedulers set class-of-service schedulers set class-of-service schedulers Note: The classifier method (ToS bit, DSCP marking, etc.) and values, interfaces, priorities, and rates must be appropriate for the target environment. |