UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).


Overview

Finding ID Version Rule ID IA Controls Severity
V-217045 JUNI-RT-000400 SV-217045r604135_rule Medium
Description
The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2022-06-07

Details

Check Text ( C-18274r297003_chk )
This requirement is not applicable for the DoDIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel.

If an OOBM link is used, verify that the only authorized management traffic is transported to the NOC by reviewing the outbound filter applied to the OOBM interface as shown in the example below.

interfaces {
description "OOBM Net";
ge-1/1/0 {
unit 0 {
family inet {
filter {
output MGMT_TRAFFIC;
}
address 10.2.22.2/24;
}
}
}



firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then accept;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then accept;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then accept;
}
term DENY_OTHER {
then {
syslog;
discard;
}
}
}
}

If an IPsec tunnel is used, verify that the only authorized management traffic is transported to the NOC by reviewing the filter referencing the applicable security association as shown int example below.

firewall {
family inet {



filter MGMT_TRAFFIC {
term ALLOW_SNMP {
from {
protocol udp;
port [ snmp snmptrap ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_TACACS {
from {
protocol tcp;
port tacacs;
}
then ipsec-sa IPSEC_SA_MGMT;
}
term ALLOW_NETFLOW {
from {
protocol udp;
port [ 2055 9995 9996 ];
}
then ipsec-sa IPSEC_SA_MGMT;
}
term OTHER {
then accept;
}
}
}

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.
Fix Text (F-18272r297004_fix)
This requirement is not applicable for the DoDIN Backbone.

Configure filters to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data as shown in the examples below.

OOBM Link
[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then accept
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then accept
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then accept
set filter MGMT_TRAFFIC term DENY_OTHER then syslog discard

[edit interfaces ge-1/1/0 unit 0 family inet]
set filter output MGMT_TRAFFIC

IPsec Tunnel
[edit firewall family inet]
set filter MGMT_TRAFFIC term ALLOW_SNMP from protocol udp port [snmp snmptrap]
set filter MGMT_TRAFFIC term ALLOW_SNMP then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_TACACS from protocol tcp port tacacs
set filter MGMT_TRAFFIC term ALLOW_TACACS then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term ALLOW_NETFLOW from protocol udp port [2055 9995 9996]
set filter MGMT_TRAFFIC term ALLOW_NETFLOW then ipsec-sa IPSEC_SA_MGMT
set filter MGMT_TRAFFIC term OTHER then accept