Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253966 | JUEX-L2-000190 | SV-253966r843931_rule | Medium |
Description |
---|
It is possible that a disabled access interface that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
STIG | Date |
---|---|
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide | 2022-08-31 |
Check Text ( C-57418r843929_chk ) |
---|
Review the switch configurations and examine all access interfaces. Each access interface not in use should have membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Verify a VLAN is configured for unused interfaces. [edit vlans] vlan_disabled { vlan-id } Verify disabled interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually. Multiple interfaces simultaneously configured via interface-range. [edit interfaces] interface-range member member-range disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } Individually configured: [edit interfaces] disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } In this example, "vlan_disabled" is designated for all unused interfaces and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below. [edit interfaces] unit family { ethernet-switching { interface-mode trunk; vlan { members [ vlan_name vlan_disabled ]; } } } } } If there are any access interfaces not in use and not in an inactive VLAN, this is a finding. Note: Access interfaces configured for 802.1x are exempt from this requirement. |
Fix Text (F-57369r843930_fix) |
---|
Disable all access interfaces not in use and assign to an inactive VLAN. In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name. set vlans vlan_disabled vlan-id set interfaces interface-range set interfaces interface-range set interfaces interface-range set interfaces interface-range set interfaces set interfaces Delete the unused VLAN from all trunked interfaces. delete interfaces Note: Switch ports configured for 802.1x are exempt from this requirement. |