Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253977 | JUEX-RT-000050 | SV-253977r843964_rule | Medium |
Description |
---|
Advertisement of routes by an AS for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes. |
STIG | Date |
---|---|
Juniper EX Series Switches Router Security Technical Implementation Guide | 2023-03-23 |
Check Text ( C-57429r843962_chk ) |
---|
This requirement is not applicable for the DODIN Backbone. Review the BGP router configuration to verify there is a filter defined to only advertise routes for prefixes belonging to any customer or the local AS. Example route-filter-list of customer addresses with corresponding policy-statement referencing the list: [edit policy-options] route-filter-list customer1-routes { } route-filter-list customer1-routes-ipv6 { } policy-statement bgp-advertise-cust-routes { term 1 { from { route-filter-list customer1-routes; route-filter-list customer1-routes-ipv6; } then accept; } term default { then reject; } } Note: The example shows using route-filter-lists to ease management. The policy-statement also supports the route directly in the match condition. For example, "route-filter The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Verify the eBGP export statement prevents Junos from exporting routes from the route table into BGP. Junos accepts export statements at three hierarchy levels: Global protocol, group, and neighbor (peer). Global is the most general, followed by group, and neighbor is the most restrictive. Junos applies only the most restrictive policy so if a policy is configured at the protocol, group, and neighbor level, only the neighbor policy is applied. [edit protocols bgp] group eBGP { export bgp-advertise-cust-routes; neighbor { export bgp-advertise-cust-routes; } } export bgp-advertise-cust-routes; If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding. |
Fix Text (F-57380r843963_fix) |
---|
Configure all eBGP routers to filter outbound route advertisements for prefixes that are not allocated to or belong to any customer or the local AS. set policy-options route-filter-list customer1-routes set policy-options route-filter-list customer1-routes set policy-options route-filter-list customer1-routes-ipv6 set policy-options route-filter-list customer1-routes-ipv6 set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes-ipv6 set policy-options policy-statement bgp-advertise-cust-routes term 1 then accept set policy-options policy-statement bgp-advertise-cust-routes term default then reject set protocols bgp group eBGP export bgp-advertise-cust-routes set protocols bgp group eBGP neighbor export bgp-advertise-cust-routes set protocols bgp export bgp-advertise-cust-routes |