Details

VRRP authentication should be used where other security mechanisms are not in place.

Rationale:

VRRP provides resilience for a routers interfaces, allowing another router to act as backup in the event of a partial or complete failure of the primary router and increasing the availability network resources as well as resilience to DoS attack.

Routers configured to share a Virtual IP Address using VRRP communicate their status to their peer on a regular basis using a multicast packet, allowing a Master for the VIP to be elected. It is the Master that deals with packets destined for the VIP address.

If no authentication is used an attacker could potentially disrupt the VRRP Master Election process, causing neither router to handle packets destined for the VIP and resulting a DoS.

An authentication key can be configured for all VRRP Groups used on the device to help protect against this.

Solution

If you have configured VRRP on one or more interfaces you should configure authentication using the following commands from the [edit interfaces unit family inet address ] hierarchy;

[edit interfaces ‘ unit family inet address ‘]
[email protected]#set vrrp-group authentication-key

Default Value:

VRRP is not configured by default

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|IA-3
• CSCv7|11

Source

• Tenable.com/audits