UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper router must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253984 JUEX-RT-000120 SV-253984r843985_rule Medium
Description
Information flow control regulates authorized information to travel within a network and between interconnected networks. Controlling the flow of network traffic is critical so it does not introduce any unacceptable risk to the network infrastructure or data. An example of a flow control restriction is blocking outside traffic claiming to be from within the organization. For most routers, internal information flow control is a product of system design.
STIG Date
Juniper EX Series Switches Router Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-57436r843983_chk )
Verify each router enforces approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

Junos enforces information flow via stateless firewall filters and unicast Reverse Path Forwarding (uRPF). uRPF performs a forwarding table lookup to validate the incoming packet's source address is appropriate for the arriving interface. Verify uRPF is enabled on applicable interfaces. The example shows uRPF and the stateless firewall filter applied. Verify the interface and assigned addresses are appropriate for the target environment.

[edit interfaces]
{
unit {
family inet {
rpf-check;
filter {
input deny-prod-to-mgt;
}
}
family inet6 {
rpf-check;
filter {
input deny-prod-to-mgt-v6;
}
}
}
}
Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter.

[edit firewall]
family inet {
filter deny-prod-to-mgt {
term 1 {
from {
source-address {
;
}
destination-address {
;
}
}
then {
log;
syslog;
discard;
}
}
term 2 {
from {
source-address {
;
}
}
then accept;
}
}
}
family inet6 {
filter deny-prod-to-mgt-v6 {
term 1 {
from {
source-address {
;
}
destination-address {
;
}
}
then {
log;
syslog;
discard;
}
}
term 2 {
from {
source-address {
;
}
}
then accept;
}
}
}

If the router does not enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy, this is a finding.
Fix Text (F-57387r843984_fix)
Configure the router to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.

set interfaces unit family inet rpf-check
set interfaces unit family inet filter input deny-prod-to-mgt
set interfaces unit family inet6 rpf-check
set interfaces unit family inet6 filter input deny-prod-to-mgt-v6

set firewall family inet filter deny-prod-to-mgt term 1 from source-address
set firewall family inet filter deny-prod-to-mgt term 1 from destination-address
set firewall family inet filter deny-prod-to-mgt term 1 then log
set firewall family inet filter deny-prod-to-mgt term 1 then syslog
set firewall family inet filter deny-prod-to-mgt term 1 then discard
set firewall family inet filter deny-prod-to-mgt term 2 from source-address
set firewall family inet filter deny-prod-to-mgt term 2 then accept

set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from source-address
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 from destination-address
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then log
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then syslog
set firewall family inet6 filter deny-prod-to-mgt-v6 term 1 then discard
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 from source-address
set firewall family inet6 filter deny-prod-to-mgt-v6 term 2 then accept