Details

IS-IS Neighbors should be authenticated.

Rationale:

Where it is deployed, IS-IS routing is vital for normal operation of an organization’s network infrastructure. Correct route information is required for routers to correctly direct traffic through the network. An attacker posing as one of the target routers IS-IS neighbors may inject incorrect information into the route table resulting in DoS attack or loss of confidential data through a Man in the Middle attack.

On JUNOS routers it is possible to suppress some authentication features to aid integration with other vendors IS-IS implementations. One of these interoperability features allows you to configure the router to generate authenticated packets, but not check the authentication of received packets. This leaves the router as vulnerable as it would be with no authentication enabled at all and should not be used in a production environment.

NOTE: IS-IS does not appear to be configured on the target. This check is not applicable.

Solution

If you have deployed IS-IS in your network and have disabled authentication checking, re-enable it by issuing the following command from the [edit protocols isis] hierarchy for each level at which it had been set:

[edit protocols isis]
[email protected]#delete level no-authentication-check

Default Value:

No IS-IS routing is configured by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|16.4

Source

• Tenable.com/audits