The Juniper router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-254034 | SRG-NET-000362-RTR-000113 | JUEX-RT-000620 | SV-254034r844135_rule | 2024-06-10 | 2 |
| Description |
|---|
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis. |
| ℹ️ Check |
|---|
| Review the device configuration to determine if controls have been defined to ensure the router does not send ICMP unreachable notifications out to any external interfaces. [edit policy-options] prefix-list router-address-ipv4 { <external interface address>/32; <internal subnet>/<mask>; } [edit firewall family inet] filter <name> { term 1 { from { source-prefix-list { router-address-ipv4; } protocol icmp; icmp-type unreachable; } then { log; syslog; discard; } } <additional terms> term default { then { log; syslog; discard; } } } [edit interfaces] <external interface> { unit <number> { family inet { filter { output <filter name>; } address <IPv4 address>/<mask>; } } } Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example: input-list [ permit_mgt permit_routing_protocols default-deny ]; If ICMP unreachable notifications are enabled on any external interfaces, this is a finding. |
| ✔️ Fix |
|---|
| Disable ICMP unreachable notifications on all external interfaces. set policy-options prefix-list router-addresses-ipv4 <external interface address>/32 set policy-options prefix-list router-addresses-ipv4 <internal subnet>/<mask> set firewall family inet filter <name> term 1 from source-prefix-list router-address-ipv4 set firewall family inet filter <name> term 1 from protocol icmp set firewall family inet filter <name> term 1 from icmp-type unreachable set firewall family inet filter <name> term 1 then log set firewall family inet filter <name> term 1 then syslog set firewall family inet filter <name> term 1 then discard <additional terms> set firewall family inet filter <name> term default then log set firewall family inet filter <name> term default then syslog set firewall family inet filter <name> term default then discard set interfaces <interface name> unit <number> family inet filter output <filter name> set interfaces <interface name> unit <number> family inet address <IPv4 address>.<mask> |