← Back to Juniper Router RTR Security Technical Implementation Guide

V-217058

CAT III (Low)

The Juniper BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.

Rule ID

SV-217058r945854_rule

STIG

Juniper Router RTR Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000032

Discussion

Verifying the path a route has traversed will ensure the IP core is not used as a transit network for unauthorized or possibly even Internet traffic. All autonomous system boundary routers (ASBRs) must ensure updates received from eBGP peers list their AS number as the first AS in the AS_PATH attribute.

Check Content

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute. Verify that the enforce-first-as command has been configured at the BGP or group hierarchy as shown in the example below:

protocols {
…
…
…
    bgp {
        enforce-first-as;

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Fix Text

Configure the router to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute using the enforce-first-as command as shown in the example below:

[edit protocols bgp group]
set enforce-first-as