| Finding ID |
Severity |
Title |
Description |
|
V-253949
|
High |
The Juniper EX switch must be configured to uniquely identify all network-connected endpoint devices before establishing any connection. |
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to an access interface to inject or receive data from the network without detection.
802.1x includes Static MAC Bypass and MAC RADIUS for those devices that do not offer a supplicant. |
|
V-253948
|
High |
The Juniper EX switch must be configured to disable non-essential capabilities. |
A compromised switch introduces risk to the entire network infrastructure as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy,... |
|
V-253971
|
Medium |
The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links. |
By default, Juniper switches do not assign a native VLAN to any trunked interface. Allowing trunked interfaces to accept untagged data packets may unintentionally expose VLANs to unauthorized devices that could result in network exploration, unauthorized resource access, or a DoS condition. If a network function requires a native VLAN... |
|
V-253970
|
Medium |
The Juniper EX switch must be configured to set all user-facing or untrusted ports as access interfaces. |
Configuring user-facing or untrusted interfaces as trunked may expose network traffic to an unauthorized, or unintended, connected endpoint. Access interfaces can belong to a single VLAN rather than the multiple VLANs supported by trunks, which limits potential exposure to a smaller subset of the total network traffic.
Access interfaces also... |
|
V-253969
|
Medium |
The Juniper EX switch must not use the default VLAN for management traffic. |
By default, all unassigned interfaces are placed into the default VLAN and if used for management, could unintentionally expose sensitive traffic or protected resources to unauthorized devices. |
|
V-253968
|
Medium |
The Juniper EX switch must be configured to prune the default VLAN from all trunked interfaces that do not require it. |
All unassigned interfaces are placed into the default VLAN and devices connected to enabled, but unassigned interfaces can communicate within that VLAN. Although the default VLAN is not automatically assigned to any trunked interface, if the default VLAN must be trunked or a misconfigured trunk unintentionally includes the default VLAN,... |
|
V-253967
|
Medium |
The Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface. |
In a switched Ethernet network, some protocols use L2 Protocol Data Units (PDU) to communicate in-band management or other control information. This control traffic is inappropriate for host-facing access interfaces because those devices are not part of the switching infrastructure. Juniper switches do not automatically carry this L2 control traffic... |
|
V-253966
|
Medium |
The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN. |
It is possible that a disabled access interface that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
|
V-253965
|
Medium |
The Juniper EX switch must be configured to verify two-way connectivity on all interswitch trunked interfaces. |
In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. OAM LFM and LAG are industry... |
|
V-253964
|
Medium |
If STP is used, the Juniper EX switch must be configured to implement Rapid STP, or Multiple STP, where VLANs span multiple switches with redundant links. |
Spanning Tree Protocol (STP) is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. Convergence time can be significantly reduced using Rapid STP (802.1w) instead... |
|
V-253961
|
Medium |
The Juniper EX switch must be configured to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on all user VLANs. |
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet... |
|
V-253960
|
Medium |
The Juniper EX switch must be configured to enable IP Source Guard on all user-facing or untrusted access VLANs. |
IP Source Guard provides source IP address filtering on an untrusted layer 2 interface to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted... |
|
V-253959
|
Medium |
The Juniper EX switch must be configured to enable DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. |
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host interfaces and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted interface is called a spurious DHCP server, any... |
|
V-253958
|
Medium |
The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces. |
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific interfaces based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer... |
|
V-253957
|
Medium |
The Juniper EX switch must be configured to enable STP Loop Protection on all non-designated STP switch ports. |
The Spanning Tree Protocol (STP) Loop Protection feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of BPDUs based on the port... |
|
V-253956
|
Medium |
The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports. |
If a rogue switch is introduced into the topology and transmits a Bridge Protocol Data Unit (BPDU) with a lower bridge priority than the existing root bridge, it will become the new root bridge and cause a topology change, rendering the network in a suboptimal state. BPDU Protection allows network... |
|
V-253954
|
Medium |
The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection. |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. This requirement applies to applications that connect either locally,... |
|
V-253953
|
Medium |
The Juniper EX switch must be configured to permit authorized users to remotely view, in real time, all content related to an established user session from a component separate from the layer 2 switch. |
Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel to take action before additional damage is done. The ability to observe user sessions as they are happening allows for interceding in ongoing events... |
|
V-253952
|
Medium |
The Juniper EX switch must be configured to permit authorized users to select a user session to capture. |
Without the capability to select a user session to capture/record or view/hear, investigations into suspicious or harmful events would be hampered by the volume of information captured. The volume of information captured may also adversely impact the operation for the network. Session audits may include port mirroring, tracking websites visited,... |
|
V-253951
|
Medium |
The Juniper EX switch must be configured to manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. |
DoS attacks can be mitigated by ensuring sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, quality of service (QoS), or other resource reservation control methods. These measures may also mitigate the effects... |
|
V-253950
|
Medium |
The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols. |
Dynamic VLAN registration protocols provide centralized management of VLAN domains, which can reduce administration in a switched network. Interfaces are assigned to VLANs and the VLAN is dynamically registered on the trunked interface. Removing the last active interface from the VLAN automatically prunes the VLAN from the trunked interface, preserving... |
|
V-253972
|
Low |
The Juniper EX switch must not have any access interfaces assigned to a VLAN configured as native for any trunked interface. |
Trunked interfaces without an assigned native VLAN do not accept untagged data packets. Allowing trunked interfaces to accept untagged data packets may unintentionally expose VLANs to unauthorized devices that could result in network exploration, unauthorized resource access, or a DoS condition. If a network function requires a native VLAN, and... |
|
V-253963
|
Low |
The Juniper EX switch must be configured to enable IGMP or MLD Snooping on all VLANs. |
IGMP and MLD snooping provides a way to constrain multicast traffic at layer 2. By monitoring the IGMP or MLD membership reports sent by hosts within a VLAN, the snooping application can set up layer 2 multicast forwarding tables to deliver specific multicast traffic only to interfaces connected to hosts... |
|
V-253962
|
Low |
The Juniper EX switch must be configured to enable Storm Control on all host-facing access interfaces. |
A traffic storm occurs when packets flood a LAN, creating excessive traffic and degrading network performance. Traffic storm control prevents network disruption by suppressing ingress traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors ingress traffic levels on a port and drops traffic when the... |
|
V-253955
|
Low |
The Juniper EX switch must be configured to enable Root Protection on STP switch ports connecting to access layer switches. |
Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard... |
