UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Management traffic is not classified and marked at the nearest upstream MLS or router when management traffic must traverse several nodes to reach the management network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17836 NET1007 SV-19314r1_rule Low
Description
When network congestion occurs, all traffic has an equal chance of being dropped. Prioritization of network management traffic must be implemented to ensure that even during periods of severe network congestion, the network can be managed and monitored. Quality of Service (QoS) provisioning categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment through congestion avoidance techniques. Implementing QoS within the network makes network performance more predictable and bandwidth utilization more effective. Most important, since the same bandwidth is being used to manage the network, it provides some assurance that there will be bandwidth available to troubleshoot outages and restore availability when needed. When management traffic must traverse several nodes to reach the management network, management traffic should be classified and marked at the nearest upstream MLS or router. In addition, all core routers within the managed network must be configured to provide preferred treatment based on the QoS markings. This will ensure that management traffic receives preferred treatment (per-hop behavior) at each forwarding device along the path to the management network. traffic.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2017-06-29

Details

Check Text ( C-20263r1_chk )
Review the configuration of the MLS or router to determine if the management traffic is classified and marked to a favorable PHB at the distribution layer. According to the DISN approved QoS classifications, control plane and management plane traffic should use DSCP 48 (Network-Control PHB). In the example configurations below, an infrastructure router within the managed network’s distribution layer will classify and mark at ingress all traffic destined to management network with DSCP 48.

firewall {
family inet {
filter set-FC-to-network-control {
term match-management-network-prefix {
from {
destination-address {
10.10.10.0/24;
}
}
then {
forwarding-class network-control;
accept;
}
}
term accept-all {
then accept;
}
}
}
}
interfaces {
fe-0/0/2 {
description “link to LAN1”
unit 0 {
family inet {
filter {
input set-FC-to-network-control;
}
address 192.168.1.1/24;
}
}
}
fe-0/0/2 {
description “link to LAN2”
unit 0 {
family inet {
filter {
input set-FC-to-network-control;
}
address 192.168.2.1/24;
}
}
}
ge-0/0/1 {
description “link to core”
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
}

By default, rewrite rules are not applied to interfaces. Without rewriting the DSCP value in the packet, the packet will be transmitted with the original value prior to classifying by the local router. To apply a rewrite rule, you can either use the default rules or design new rules. In either case, you must apply the rules to the outgoing interface under the class-of-service hierarchy as shown in the following configuration:

class-of-service {
interfaces {
ge-0/0/1 {
unit 0 {
rewrite-rules {
dscp default;
}
}
}
}
}
Fix Text (F-17756r1_fix)
When management traffic must traverse several nodes to reach the management network, classify and mark management traffic at the nearest upstream MLS or router.