Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If user-based firewall policies are not used, this is not applicable. To verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall. [edit] show security policies If the source identity is not specified in any policy for a particular zone pair, this is a finding.
Configure attribute-based security policies to enforce approved authorizations for logical access to information and system resources using the following commands. To configure redirection from the SRX Series device to the Access Control Service, from configuration mode, configure the UAC profile for the captive portal <acs-device>. [edit] set services unified-access-control captive-portal <acs-device-name> redirect-traffic unauthenticated Configure the redirection URL for the Access Control Service or a default URL for the captive portal. [edit] set services unified-access-control captive-portal acs-device redirect-url https://%ic-url%/?target=%dest-url%&enforcer=%enforcer-id% This policy specifies the default target and enforcer variables to be used by the Access Control Service to direct the user back after authentication. This ensures that changes to system specifications will not affect configuration results. Configure a user role firewall policy that redirects HTTP traffic from zone trust to zone untrust if the source-identity is unauthenticated-user. The captive portal profile name is specified as the action to be taken for traffic matching this policy. The following is an example only since there the actual policy is dependent on the architecture of the organization's network. [edit] set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-address any set security policies from-zone trust to-zone untrust policy user-role-fw1 match destination-address any set security policies from-zone trust to-zone untrust policy user-role-fw1 match application http set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-identity unauthenticated-user set security policies from-zone trust to-zone untrust policy user-role-fw1 then permit app
To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands. From operational mode, enter the following command. show firewall log View the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard). If events in the log do not reflect the action taken on the packet, this is a finding.
Include the log and/or syslog action in all term to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add "then log session-close" to each policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. Firewall filter: [edit] set firewall family <family name> filter <filter_name> term <term_name> then log Examples: set firewall family inet filter protect_re term tcp-connection then syslog set firewall family inet filter protect_re term tcp-connection then log set firewall family inet filter ingress-filter-v4 term deny-dscp then log set firewall family inet filter ingress-filter-v4 term deny-dscp then syslog Security policy and security screens: set security policies from-zone <zone_name> to-zone <zone_name> policy <policy_name> then log Example: set security policies from-zone untrust to-zone trust policy default-deny then log
To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands. From operational mode, enter the following command. show firewall log View the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard). If events in the log do not reflect the action taken on the packet, this is a finding.
Include the log and/or syslog action in all zone configurations to log attempts to access zones. To get traffic logs from permitted sessions, add "then log session-close" to the policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. set security policies from-zone <zone_name> to-zone <zone_name> policy <policy_name> then log Example: set security policies from-zone untrust to-zone trust policy default-deny then log
To verify that traffic logs are being sent to the syslog server, check the syslog server files. If traffic logs are not being sent to the syslog server, this is a finding.
Logging for security-related sources such as screens and security policies must be configured separately. The following example specifies that security log messages in structured-data format (syslog format) are sent from the source <MGT IP address> (e.g., the SRX's loopback or other interface IP address) to an external syslog server. [edit] set security log cache set security log format syslog set security log source-address <MGT IP Address> set security log stream <stream name> host <syslog server IP Address> To get traffic logs from permitted sessions, add "then log session-close" to the policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. Enable Logging on Security Policies: [edit] set security policies from-zone <zone-name> to-zone <zone-name> policy <policy-name> then log <event> Example to log session init and session close events: set security policies from-zone trust to-zone untrust policy default-permit then log session-init set security policies from-zone trust to-zone untrust policy default-permit then log session-close
Verify logging has been enabled and configured. [edit] show log <LOG-NAME> match "RT_FLOW_SESSION" If a local log file or files is not configured to capture "RT_FLOW_SESSION" events, this is a finding.
The following example commands configure local backup files to capture DoD-defined auditable events. [edit] set system syslog file <LOG-NAME> any info set system syslog file <LOG-NAME> match "RT_FLOW_SESSION " Example: set system syslog file<LOG-NAME> match "RT_FLOW_SESSION "
Review the documentation and architecture for the device. <root> show system license If unneeded services and functions are installed on the device, but are not part of the documented role of the device, this is a finding.
Remove unnecessary services and functions. From operational mode, display the licenses available to be deleted; enter the following commands. request system license delete license-identifier-list ? request system license delete <license-identifier> Note: Only remove unauthorized services. This control is not intended to restrict the use of Juniper SRX devices with multiple authorized roles.
Check both the zones and the interface stanza to ensure NTP is not configured as a service option. [edit] show security zones and, for each interface used, enter: show security zones <zone-name> interface <interface-name> If NTP is included in any of the zone or interface stanzas, this is a finding.
Delete NTP options from zones and interface commands. Re-enter the set security zone command without the "ntp" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options. Examples: [edit] set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic
Check both the zones and the interface stanza to ensure DNS proxy server services are not configured. [edit} show system services dns If a stanza exists for DNS (e.g., forwarders option), this is a finding.
First, remove the DNS stanza. Then re-enter the set security zones and interfaces command without the "dns" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options. Examples: [edit] delete system services dns set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic
Check both the zones and the interface stanza to ensure DHCP proxy server services are not configured. [edit] show system services dhcp If a stanza exists for DHCP (e.g., forwarders option), this is a finding.
First, remove the DHCP stanza. Then re-enter the set security zones and interfaces command without the "dhcp" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options. Examples: [edit] delete system services dhcp set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic
Entering the following commands from the configuration level of the hierarchy. [edit] show security services If functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.
Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration. [edit] show security services Compare the services which are enabled, including the port, services, protocols and functions. Consult the Juniper knowledge base and configuration guides to determine the commands for disabling each port, protocol, service or function that is not in compliance with the PPSM CAL and vulnerability assessments.
Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less. First get a list of security policies, then enter the show details command for each policy-name found. [edit] show security policies show security policy <policy-name> details Example: Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Verify an activity timeout is configured for either "any" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-). To verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found. [edit] Show applications show applications application <application-name> If an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.
Add or update the session inactivity timeout for communications sessions to 900 seconds or less. Examples: [edit] set applications application <application-name> term 1 protocol udp inactivity-timeout 900 set applications application junos-http inactivity-timeout 900 Or Create a service that matches any TCP/UDP: [edit] set applications application TCP-ALL source-port 1-65535 destination-port 1-65535 protocol tcp inactivity-timeout 900 Note: When pre-defined applications are used in firewall policies, the timeout value must be set in the policy stanza.
Run the following command to see the screen options currently configured: [edit] show security screen ids-option show security zone match "screen" If security screens are not configured or if the security zone is not configured with screen options, this is a finding.
The following example commands configure security screens under a profile named untrust-screen. Screen options, with configurable thresholds may be customized to minimize/prevent operational impact on traffic performance. [edit] set security screen ids-option <zone-name> <screen name> <option name> <value> Based on 800-53 requirements and vendor recommendations, the following DoS screens are required, at a minimum, for use in DoD configurations. set security screen ids-option untrust-screen icmp ip-sweep threshold 1000 set security screen ids-option untrust-screen tcp port-scan threshold 1000 set security screen ids-option untrust-screen tcp sin-flood alarm-threshold 1000 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1100 set security screen ids-option untrust-screen tcp syn-flood source-threshold 100 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen udp flood threshold 5000 set security screen ids-option untrust-screen udp udp-sweep threshold 1000 To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name to the default zone named "untrust". [edit] set security zone security-zone <zone-name> screen <screen-profile> Example: set security zones security-zone untrust screen untrust-screen
Since load balancing is a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration. If load balancing is not implemented on the perimeter firewall, this is a finding.
Consult vendor configuration guides and knowledge base. Implement one or more methods of load balance (e.g., filter based forwarding, per flow load balancing, per-packet load balancing, or High Availability [HA]).
Run the following command to see the screen options currently configured: [edit] show security screen ids-option show security zone match "screen" If security screens are not configured or if the security zone is not configured with screen options, this is a finding.
The following example commands configure security screens under a profile named untrust-screen. Screen options with configurable thresholds may be customized to minimize/prevent operational impact on traffic performance. [edit] set security screen ids-option <zone-name> <screen name> <option name> <value> Based on 800-53 requirements and vendor recommendations, the following signature-based screens are required, at a minimum, for use in DoD configurations. set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip bad-option set security screen ids-option untrust-screen ip record-route-option set security screen ids-option untrust-screen ip timestamp-option set security screen ids-option untrust-screen ip security-option set security screen ids-option untrust-screen ip stream-option set security screen ids-option untrust-screen ip spoofing set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip unknown-protocol set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen ip ipv6-extension-header hop-by-hop-header jumbo-payload-option set security screen ids-option untrust-screen ip ipv6-extension-header hop-by-hop-header router-alert-option set security screen ids-option untrust-screen ip ipv6-extension-header hop-by-hop-header quick-start-option set security screen ids-option untrust-screen ip ipv6-extension-header routing-header set security screen ids-option untrust-screen ip ipv6-extension-header fragment-header set security screen ids-option untrust-screen ip ipv6-extension-header no-next-header set security screen ids-option untrust-screen ip ipv6-extension-header shim6-header set security screen ids-option untrust-screen ip ipv6-extension-header mobility-header set security screen ids-option untrust-screen ip ipv6-malformed-header set security screen ids-option untrust-screen tcp syn-fin set security screen ids-option untrust-screen tcp fin-no-ack set security screen ids-option untrust-screen tcp tcp-no-flag set security screen ids-option untrust-screen tcp syn-frag set security screen ids-option untrust-screen tcp land To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name to the default zone named "untrust". [edit] set security zone security-zone <ZONE NAME> screen <SCREEN PROFILE NAME> Example: set security zones security-zone untrust screen untrust-screen
Obtain and review the list of outbound interfaces and zones. This is usually part of the System Design Specification or Accreditation Package. Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with DoS screens. [edit] show security zones <security-zone-name> If the zone for the security screen has not been applied to all outbound interfaces, this is a finding.
To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name. Apply screen to each outbound interface example: set security zones security-zone untrust interfaces <OUTBOUND-INTERFACE> set security zones security-zone trust screen untrust-screen
Obtain and review the list of authorized sources and destinations. This is usually part of the System Design Specification or Accreditation Package. Review each of the configured security policies in turn. [edit] show security policies <security-policy-name> If any existing policies allow traffic that is not part of the authorized sources and destinations list, this is a finding.
Configure a security policy or screen to each outbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments. Apply security policy a zone example: set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone trust interfaces ge-0/0/2.0 set security policies from-zone trust to-zone untrust policy default-deny match destination-address any set security policies from-zone trust to-zone untrust policy default-deny then deny
Request documentation of the architecture and Juniper SRX configuration. Verify the site has configured the SRX to fail closed, thus preventing traffic from flowing through without filtering and inspection. If the site has not configured the SRX to fail closed, this is a finding.
Implement and configure the Juniper SRX to fail closed, thus preventing traffic from flowing through without filtering and inspection. In case of failure, document a process for the Juniper SRX to be configured to fail closed. Redundancy should be implemented if failing closed has a mission impact.
Verify the default-policy has not been changed and is set to deny all traffic. [edit] show security policies default-policy If the default-policy is not set to deny-all, this is a finding.
By default, the SRX device will not forward traffic unless it is explicitly permitted via security policy. If the default-policy has been changed, then this must be corrected using the set security policies default-policy command.
Verify ICMP messages are configured to meet DoD requirements. [edit] show firewall family inet If ICMP messages are not configured in compliance with DoD requirements, this is a finding.
Configure ICMP to meet DoD requirements. The following is an example which uses the filter name "protect_re" as the filter name with pre-configured address books (source-prefix-lists). [edit] set firewall family inet filter protect_re term permit-icmp from source-prefix-list ssh-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list bgp-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list loopback-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list local-addresses set firewall family inet filter protect_re term permit-icmp from source-prefix-list ixiav4 set firewall family inet filter protect_re term permit-icmp from icmp-type echo-request set firewall family inet filter protect_re term permit-icmp from icmp-type echo-reply set firewall family inet filter protect_re term permit-icmp then log set firewall family inet filter protect_re term permit-icmp then syslog set firewall family inet filter protect_re term permit-icmp then accept set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighboradvertisement set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighborsolicit set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighboradvertisement set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighborsolicit set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type 134 set firewall family inet6 filter ingress-v6 term permit-ar then accept set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighboradvertisement set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighbor-solicit set firewall family inet6 filter egress-v6 term permit-lr from icmp-type 134 set firewall family inet6 filter egress-v6 term permit-lr then accept
For each inbound zone, verify a firewall screen or security policy is configured. [edit] show security zone show security policies If communications traffic for each inbound zone is not configured with a firewall screen and/or security policy, this is not a finding.
Configure a security policy or screen to each inbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments. Apply policy or screen to a zone example: set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust screen untrust-screen set security policies from-zone untrust to-zone trust policy default-deny match destination-address any set security policies from-zone untrust to-zone trust policy default-deny then deny
For each outbound zone, verify a firewall screen or security policy is configured. [edit] show security zones show security policies If communications traffic for each outbound zone is not configured with a firewall screen or security policy, this is not a finding.
Configure a security policy or screen to each outbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments. Apply policy or screen to a zone example: set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust screen untrust-screen set security policies from-zone trust to-zone untrust policy default-deny match destination-address any set security policies from-zone trust to-zone untrust policy default-deny then deny
For each zone, verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when unusual/unauthorized activities or conditions are detected during continuous monitoring of communications traffic as it traverses inbound or outbound across internal security boundaries. [edit] show security zones show security polices If each inbound and outbound zone policy does not generate an alert that can be forwarded to, at a minimum, the ISSO and ISSM when unusual/unauthorized activities or conditions are detected during continuous monitoring of communications traffic as it traverses inbound or outbound across internal security boundaries, this is a finding.
Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following example configures the zone security policy to include the log and/or syslog action in all terms to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add "then log session-close" to each policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. Security policy and security screens: set security policies from-zone <zone_name> to-zone <zone_name> policy <policy_name> then log Example: set security policies from-zone untrust to-zone trust policy default-deny then log session-init
Obtain the list of threats identified by authoritative sources from the ISSM or ISSO. For each threat, ensure a security policy, screen, or filter that denies or mitigates the threat includes the log or syslog option. Verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected. [edit] show security zones show security polices If an alert is not generated that can be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected, this is a finding.
Configure the Juniper SRX to generate and send a notification or log message that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following example configures the zone security policy to include the log and/or syslog action in all terms to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add "then log session-close" to each policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. Security policy and security screens: set security policies from-zone <zone_name> to-zone <zone_name> policy <policy_name> then log Example: set security policies from-zone untrust to-zone trust policy default-deny then log session-init
Verify a security policy with an associated screen that denies or mitigates the threat of DoS attacks includes the log or syslog option. Verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected. [edit] show security zones show security polices If an alert is not generated that can be forwarded to, at a minimum, the ISSO and ISSM when DoS incidents are detected, this is a finding.
Configure the Juniper SRX to generate for DoS attacks detected in CCI-002385. DoS attacks are detected using screens. The alert sends a notification or log message that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message. The following example configures the zone security policy to include the log and/or syslog action in all terms to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add "then log session-close" to each policy. To get traffic logs from denied sessions, add "then log session-init" to the policy. Apply policy or screen to a zone example: set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust screen untrust-screen set security policies from-zone untrust to-zone trust policy default-deny then log session-init