The Juniper out-of-band management (OOBM) gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254019	JUEX-RT-000470	SV-254019r844090_rule		Medium

Description
The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

STIG	Date
Juniper EX Series Switches Router Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57471r844088_chk )
This requirement is not applicable for the DODIN Backbone. Review the network topology diagram to determine connectivity between the managed network and the NOC. Review the OOBM gateway router configuration to validate the path that the management traffic traverses. Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel. Verify the destination address is configured either via a prefix-list or directly assigned addresses in each firewall filter term match condition. [edit policy-options] prefix-list NOC-ipv4 { /; } prefix-list NOC-ipv6 { /; } [edit firewall] family inet { filter permit-NOC-ipv4 { term 1 { from { destination-prefix-list { NOC-ipv4; } protocol ; destination-port [ ]; } then accept; } term default { then { log; syslog; discard; } } } } family inet6 { filter permit-NOC-ipv6 { term 1 { from { destination-prefix-list { NOC-ipv6; } next-header ; destination-port [ ]; } then accept; } term default { then { log; syslog; discard; } } } } [edit interfaces] { unit { family inet { filter { output NOC-ipv4; } address /; } family inet6 { filter { output NOC-ipv6; } address /; } } } Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example: input-list [ permit_mgt permit_routing_protocols default-deny ]; If using an IPsec tunnel, verify the route with the tunnel interface as the next-hop destination. [edit routing-options] rib inet6.0 { static { route next-hop <(tunnel interface \| NOC IPv6 tunnel endpoint address)>; } } static { route next-hop <(tunnel interface \| NOC IPv6 tunnel endpoint address)>; } If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Check Text ( C-57471r844088_chk )

This requirement is not applicable for the DODIN Backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC.

Review the OOBM gateway router configuration to validate the path that the management traffic traverses.

Verify that only management traffic is forwarded through the OOBM interface or IPsec tunnel. Verify the destination address is configured either via a prefix-list or directly assigned addresses in each firewall filter term match condition.

[edit policy-options]
prefix-list NOC-ipv4 {
/;
}
prefix-list NOC-ipv6 {
/;
}
[edit firewall]
family inet {
filter permit-NOC-ipv4 {
term 1 {
from {
destination-prefix-list {
NOC-ipv4;
}
protocol ;
destination-port [ ];
}
then accept;
}

term default {
then {
log;
syslog;
discard;
}
}
}
}
family inet6 {
filter permit-NOC-ipv6 {
term 1 {
from {
destination-prefix-list {
NOC-ipv6;
}
next-header ;
destination-port [ ];
}
then accept;
}

term default {
then {
log;
syslog;
discard;
}
}
}
}
[edit interfaces]
{
unit {
family inet {
filter {
output NOC-ipv4;
}
address /;
}
family inet6 {
filter {
output NOC-ipv6;
}
address /;
}
}
}

Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example:

input-list [ permit_mgt permit_routing_protocols default-deny ];

If using an IPsec tunnel, verify the route with the tunnel interface as the next-hop destination.
[edit routing-options]
rib inet6.0 {
static {
route next-hop <(tunnel interface | NOC IPv6 tunnel endpoint address)>;
}
}
static {
route next-hop <(tunnel interface | NOC IPv6 tunnel endpoint address)>;
}

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Fix Text (F-57422r844089_fix)
Configure appropriate prefix lists and firewall filters. For example: set policy-options prefix-list NOC-ipv4 / set policy-options prefix-list NOC-ipv6 / set firewall family inet filter permit-NOC-ipv4 term 1 from destination-prefix-list NOC-ipv4 set firewall family inet filter permit-NOC-ipv4 term 1 from protocol set firewall family inet filter permit-NOC-ipv4 term 1 from destination-port [ ] set firewall family inet filter permit-NOC-ipv4 term 1 then accept set firewall family inet filter permit-NOC-ipv4 term default then log set firewall family inet filter permit-NOC-ipv4 term default then syslog set firewall family inet filter permit-NOC-ipv4 term default then discard set firewall family inet6 filter permit-NOC-ipv6 term 1 from destination-prefix-list NOC-ipv6 set firewall family inet6 filter permit-NOC-ipv6 term 1 from next-header set firewall family inet6 filter permit-NOC-ipv6 term 1 from destination-port [ ] set firewall family inet6 filter permit-NOC-ipv6 term 1 then accept set firewall family inet6 filter permit-NOC-ipv6 term default then log set firewall family inet6 filter permit-NOC-ipv6 term default then syslog set firewall family inet6 filter permit-NOC-ipv6 term default then discard Apply firewall filter to OOBM interface: set interfaces unit family inet filter output NOC-ipv4 set interfaces unit family inet address / set interfaces unit family inet6 filter output NOC-ipv6 set interfaces unit family inet6 address / If using IPsec tunnel: set rib inet6.0 static route next-hop <(tunnel interface \| NOC IPv6 tunnel endpoint address)> set static route next-hop <(tunnel interface \| NOC IPv4 tunnel endpoint address)>

Fix Text (F-57422r844089_fix)

Configure appropriate prefix lists and firewall filters. For example:
set policy-options prefix-list NOC-ipv4 /
set policy-options prefix-list NOC-ipv6 /

set firewall family inet filter permit-NOC-ipv4 term 1 from destination-prefix-list NOC-ipv4
set firewall family inet filter permit-NOC-ipv4 term 1 from protocol
set firewall family inet filter permit-NOC-ipv4 term 1 from destination-port [ ]
set firewall family inet filter permit-NOC-ipv4 term 1 then accept

set firewall family inet filter permit-NOC-ipv4 term default then log
set firewall family inet filter permit-NOC-ipv4 term default then syslog
set firewall family inet filter permit-NOC-ipv4 term default then discard

set firewall family inet6 filter permit-NOC-ipv6 term 1 from destination-prefix-list NOC-ipv6
set firewall family inet6 filter permit-NOC-ipv6 term 1 from next-header
set firewall family inet6 filter permit-NOC-ipv6 term 1 from destination-port [ ]
set firewall family inet6 filter permit-NOC-ipv6 term 1 then accept

set firewall family inet6 filter permit-NOC-ipv6 term default then log
set firewall family inet6 filter permit-NOC-ipv6 term default then syslog
set firewall family inet6 filter permit-NOC-ipv6 term default then discard

Apply firewall filter to OOBM interface:
set interfaces unit family inet filter output NOC-ipv4
set interfaces unit family inet address /
set interfaces unit family inet6 filter output NOC-ipv6
set interfaces unit family inet6 address /

If using IPsec tunnel:
set rib inet6.0 static route next-hop <(tunnel interface | NOC IPv6 tunnel endpoint address)>
set static route next-hop <(tunnel interface | NOC IPv4 tunnel endpoint address)>