Details

Filter prefixes advertised to the router through eBGP.

Rationale:

In addition to filtering Bogon and Maritan routes JUNOS routers peering with eBGP neighbors should also apply Ingress Filtering to prevent the router processing bad updates sent from the neighbor router, either maliciously or by accident. At a minimum prefix filters should deny any prefix which belong to your own AS. Depending on your type of deployment you may also wish to block prefixes which are more specific than those issues by RIR’s or limit ISP customers to advertising those prefixes which you have assigned to them.

Solution

From the [edit policy-options] hierarchy, define a new policy by issuing the following commands:

[edit policy-options]
[email protected]#edit policy-statement term
[edit policy-options policy-statement term ]
[email protected]# set from route-filter / –> reject

Now apply the policy, either globally, to a group or to an individual peer as required by your environment.

[edit protocols bgp ]
[email protected]#set import

Default Value:

No Ingress Filtering is applies by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.

References

• 800-53|SC-7(11)
• CSCv7|12

Source

• Tenable.com/audits