Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-254031 | JUEX-RT-000590 | SV-254031r997533_rule | Medium |
Description |
---|
The Routing Engine (RE) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RE or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RE can result in excessive CPU and memory utilization. To maintain network stability and RE security, the router must be able to handle specific control plane and management plane traffic that is destined to the RE. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RE from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch. |
STIG | Date |
---|---|
Juniper EX Series Switches Router Security Technical Implementation Guide | 2024-06-10 |
Check Text ( C-57483r844124_chk ) |
---|
Determine whether control plane protection has been implemented on the device by verifying traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class. Verify firewall filters include policers (rate limiting) based upon importance levels. Although the policer names shown in the example are the bandwidth limit, any legal name can be used. [edit firewall] family inet { filter term accept-tcp-initial { from { source-prefix-list { management-networks-ipv4; } destination-prefix-list { router-addresses-ipv4; } protocol tcp; destination-port ssh; tcp-initial; } then { policer policer-32k; << Lower rate for connection attempts to help prevent SYN flood attacks. accept; } } term accept-ssh { from { source-prefix-list { management-networks-ipv4; } destination-prefix-list { router-addresses-ipv4; } protocol tcp; destination-port ssh; } then { policer policer-1g; << Higher rate after connection establishment for remote management and/or secure file transfer. accept; } } term accept-snmp { from { source-prefix-list { snmp-servers-ipv4; } destination-prefix-list { router-addresses-ipv4; } protocol udp; destination-port snmp; } then { policer policer-1m; accept; } } term default-deny { then { log; syslog; discard; } } } } family inet6 { filter term accept-tcp-initial { from { source-prefix-list { management-networks-ipv6; } destination-prefix-list { router-addresses-ipv6; } next-header tcp; destination-port ssh; tcp-initial; } then { policer policer-32k; << Lower rate for connection attempts to help prevent SYN flood attacks. accept; } } term accept-ssh { from { source-prefix-list { management-networks-ipv6; } destination-prefix-list { router-addresses-ipv6; } next-header tcp; destination-port ssh; } then { policer policer-1g; << Higher rate after connection establishment for remote management. accept; } } term accept-snmp { from { source-prefix-list { snmp-servers-ipv6; } destination-prefix-list { router-addresses-ipv6; } next-header udp; destination-port snmp; } then { policer policer-1m; accept; } } term default-deny { then { log; syslog; discard; } } } } Note: Verify the applied filter has terms for all permitted traffic (e.g., OSPF, BGP, etc.). policer policer-1g { if-exceeding { bandwidth-limit 1g; burst-size-limit 100k; } then discard; } policer policer-1m { if-exceeding { bandwidth-limit 1m; burst-size-limit 15k; } then discard; } policer policer-32k { if-exceeding { bandwidth-limit 32k; burst-size-limit 1500; } then discard; } [edit interfaces] lo0 { unit family inet { filter { input } address } family inet6 { filter { input } address } } } Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example: input-list [ permit_mgt permit_routing_protocols default-deny ]; If the router does not have control plane protection implemented, this is a finding. |
Fix Text (F-57434r844125_fix) |
---|
Implement control plane protection by classifying traffic types based on importance and configure filters to restrict and rate limit the traffic directed to and processed by the RE according to each class. set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall family inet filter set firewall policer policer-1g if-exceeding bandwidth-limit 1g set firewall policer policer-1g burst-size-limit 100k set firewall policer policer-1g then discard set firewall policer policer-1m if-exceeding bandwidth-limit 1m set firewall policer policer-1m burst-size-limit 15k set firewall policer policer-1m then discard set firewall policer policer-32k if-exceeding bandwidth-limit 132k set firewall policer policer-32k burst-size-limit 1500 set firewall policer policer-32k then discard set interfaces lo0 unit set interfaces lo0 unit set interfaces lo0 unit set interfaces lo0 unit |