Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-90891 | JUNI-RT-000480 | SV-101101r1_rule | Medium |
Description |
---|
Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems. |
STIG | Date |
---|---|
Juniper Router RTR Security Technical Implementation Guide | 2019-09-27 |
Check Text ( C-90155r2_chk ) |
---|
Review the router configuration to verify that it will reject BGP routes for any Bogon prefixes. Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below. policy-options { prefix-list BOGON_PREFIXES { 0.0.0.0/8; 10.0.0.0/8; 100.64.0.0/10; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.0.0.0/24; 192.0.2.0/24; 192.168.0.0/16; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24; 224.0.0.0/4; 240.0.0.0/4; } } Verify that a policy has been configured to reject the Bogon prefixes. policy-options { … … … policy-statement FILTER_ROUTES { term REJECT_BOGONS { from { prefix-list BOGON_PREFIXES; } then reject; } term ACCEPT_OTHERS { then accept; } } } Verify that the configured policy to filter Bogons has been applied to external BGP peers as shown in the example below. protocols { bgp { group GROUP_AS4 { type external; import FILTER_ROUTES; peer-as 4; neighbor x.x.x.x; } } If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding. |
Fix Text (F-97199r2_fix) |
---|
Configure the router to reject inbound route advertisements for any Bogon prefixes. Configure a prefix list containing the current Bogon prefixes as shown below. [edit policy-options] set prefix-list BOGON_PREFIXES 0.0.0.0/8 set prefix-list BOGON_PREFIXES 10.0.0.0/8 set prefix-list BOGON_PREFIXES 100.64.0.0/10 set prefix-list BOGON_PREFIXES 127.0.0.0/8 set prefix-list BOGON_PREFIXES 169.254.0.0/16 set prefix-list BOGON_PREFIXES 172.16.0.0/12 set prefix-list BOGON_PREFIXES 192.0.0.0/24 set prefix-list BOGON_PREFIXES 192.0.2.0/24 set prefix-list BOGON_PREFIXES 192.168.0.0/16 set prefix-list BOGON_PREFIXES 198.18.0.0/15 set prefix-list BOGON_PREFIXES 198.51.100.0/24 set prefix-list BOGON_PREFIXES 203.0.113.0/24 set prefix-list BOGON_PREFIXES 224.0.0.0/4 set prefix-list BOGON_PREFIXES 240.0.0.0/4 Configure a policy-statement to reject Bogon prefixes. set policy-statement FILTER_ROUTES term REJECT_BOGONS from prefix-list BOGON_PREFIXES set policy-statement FILTER_ROUTES term REJECT_BOGONS then reject set policy-statement FILTER_ROUTES term ACCEPT_OTHER then accept Configure an import statement referencing the policy to reject Bogons on all external BGP peers. [edit protocols bgp group GROUP_AS4] set import FILTER_ROUTES |