UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider.


Overview

Finding ID Version Rule ID IA Controls Severity
V-90853 JUNI-RT-000290 SV-101063r1_rule High
Description
ISPs use BGP to share route information with other autonomous systems (i.e. other ISPs and corporate networks). If the perimeter router was configured to BGP peer with an ISP, NIPRNet routes could be advertised to the ISP; thereby creating a backdoor connection from the Internet to the NIPRNet.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2018-11-15

Details

Check Text ( C-90117r2_chk )
This requirement is not applicable for the DoDIN Backbone.

Review the protocols hierarchy in the router configuration (see example below) and verify there are no BGP neighbors configured to a peer AS that belongs to the alternate gateway service provider.

protocols {
bgp {
group AS_2 {
type external;
peer-as 2;
neighbor x.x.x.x {
authentication-algorithm hmac-sha-1-96;
authentication-key-chain BGP_KEY;
}
neighbor x.x.x.x {
authentication-algorithm hmac-sha-1-96;
authentication-key-chain BGP_KEY;
}
}
}

If there are BGP neighbors connecting to a peer AS of the alternate gateway service provider, this is a finding.
Fix Text (F-97161r2_fix)
This requirement is not applicable for the DoDIN Backbone.

Configure a static route on the perimeter router to reach the AS of a router connecting to an alternate gateway as shown in the example below.

[edit routing-options]
set static route 0.0.0.0/0 next-hop x.x.x.x