Juniper SRX SG NDM Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V2R1

Published: 2021-03-25

Updated At: 2021-05-02 20:56:22

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-223180r513235_rule JUSX-DM-000001 CCI-000054 LOW The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH. The connection-limit command limits the total number of concurrent SSH sessions. To help thwart brute force authentication attacks, the connection limit should be as restrictive as operationally practical Juniper Networks recommends the best practice of
    SV-223181r513238_rule JUSX-DM-000015 CCI-000018 MEDIUM For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events. Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Audi
    SV-223182r513241_rule JUSX-DM-000016 CCI-001403 MEDIUM For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events. Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to mitigate this risk. Auditing account modification events provide
    SV-223183r513244_rule JUSX-DM-000017 CCI-001404 MEDIUM For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper autho
    SV-223184r513247_rule JUSX-DM-000018 CCI-001405 MEDIUM For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for u
    SV-223185r513250_rule JUSX-DM-000023 CCI-002130 MEDIUM The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled. Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account
    SV-223186r513253_rule JUSX-DM-000025 CCI-000213 MEDIUM The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users. To mitigate the risk of unauthorized privileged access to the device, administrators must be assigned only the privileges needed to perform the tasked assigned to their roles. Although use of an AAA server is required for non-local access for device man
    SV-223187r513256_rule JUSX-DM-000029 CCI-002234 LOW The Juniper SRX Services Gateway must generate a log event when privileged commands are executed. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-223188r513259_rule JUSX-DM-000030 CCI-000044 LOW For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Juniper SRX is unable to comply with the 15-minute time period part of this control.
    SV-223189r513262_rule JUSX-DM-000032 CCI-000048 LOW The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access. Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, a
    SV-223191r513265_rule JUSX-DM-000040 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur. Without generating log records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. While the Juniper SRX inherently has the capability to generate log records, by defa
    SV-223192r513268_rule JUSX-DM-000041 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    SV-223193r513271_rule JUSX-DM-000042 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    SV-223194r513274_rule JUSX-DM-000043 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when logon events occur. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    SV-223195r513277_rule JUSX-DM-000044 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when privileged commands are executed. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    SV-223196r513280_rule JUSX-DM-000046 CCI-000172 LOW The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
    SV-223197r513283_rule JUSX-DM-000055 CCI-000135 LOW The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands. Reconstruction of harmful events or forensic analysis is not possible if log records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requir
    SV-223198r513286_rule JUSX-DM-000056 CCI-001849 MEDIUM For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues. In order to ensure network devices have a sufficient storage capacity in which to write the logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial devi
    SV-223199r513289_rule JUSX-DM-000059 CCI-001858 MEDIUM The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without an immediate alert for critical system issues, security personnel may be unaware of an impending failure of the audit capabilit
    SV-223201r513292_rule JUSX-DM-000065 CCI-001890 MEDIUM The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. UTC is normally used in DoD; however, Greenwich Mean Time (GMT) may be used if needed for mission requirements.
    SV-223202r513295_rule JUSX-DM-000077 CCI-001812 MEDIUM The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates. Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices. For example
    SV-223203r513298_rule JUSX-DM-000084 CCI-000366 MEDIUM If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface. The loopback interface is a logical interface and has no physical port. Since the interface and addresses ranges are well-known, this port must be filtered to protect the Juniper SRX from attacks.
    SV-223204r513301_rule JUSX-DM-000087 CCI-000366 LOW The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more. Backup of the configuration files allows recovery in case of corruption, misconfiguration, or catastrophic failure. The maximum number of rollbacks for the SRX is 50 while the default is 5 which is recommended as a best practice. Increasing this backup co
    SV-223205r513304_rule JUSX-DM-000094 CCI-000366 MEDIUM The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network. The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on log events and other functions. Multiple time sources provide redundancy by inc
    SV-223206r539624_rule JUSX-DM-000095 CCI-000366 MEDIUM The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organiza
    SV-223207r513310_rule JUSX-DM-000105 CCI-000366 MEDIUM The Juniper SRX Services Gateway must use DoD-approved PKI rather than proprietary or self-signed device certificates. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs. The SRX generates a key-pair and a CSR. The CSR is sent to the approved CA, who signs it and returns it as a certifi
    SV-223208r513313_rule JUSX-DM-000108 CCI-000382 MEDIUM The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocol
    SV-223209r513316_rule JUSX-DM-000109 CCI-000382 MEDIUM For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions. Nonlocal maintenance and diagnosti
    SV-223210r513319_rule JUSX-DM-000110 CCI-001967 MEDIUM The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-223211r513322_rule JUSX-DM-000111 CCI-000382 HIGH If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3. To prevent non-secure protocol communications with the organization's local SNMPv3 services, the SNMP client on the Juniper SRX must be configured for proper identification and strong cryptographically-based protocol for authentication. SNMPv3 defines a
    SV-223212r513325_rule JUSX-DM-000112 CCI-000382 MEDIUM The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account. Since the identity of the root account is well-known for systems based upon Linux or UNIX and this account does not have a setting to limit access attempts, there is risk of a brute force attack on the password. Root access would give superuser access to
    SV-223213r513328_rule JUSX-DM-000113 CCI-000382 MEDIUM The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account. Restricting the privilege to create a UNIX-level shell limits access to this powerful function. System administrators, regardless of their other permissions, will need to also know the root password for this access, thus limiting the possibility of malici
    SV-223214r513331_rule JUSX-DM-000114 CCI-000382 MEDIUM The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access. Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing unauthorized access.
    SV-223215r513334_rule JUSX-DM-000115 CCI-000382 MEDIUM The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort. Without centralized management, credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Maintaining loc
    SV-223216r513337_rule JUSX-DM-000124 CCI-001941 MEDIUM The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-223217r513340_rule JUSX-DM-000128 CCI-000205 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The shorter the password, the lower the number of possible combinations that need to be tested before the password
    SV-223218r513343_rule JUSX-DM-000129 CCI-000192 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets. Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The pas
    SV-223219r513346_rule JUSX-DM-000130 CCI-000192 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one upper-case character be used. Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Passwor
    SV-223220r513349_rule JUSX-DM-000131 CCI-000193 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lower-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-223221r513352_rule JUSX-DM-000132 CCI-000194 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-223222r513355_rule JUSX-DM-000133 CCI-001619 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-223223r513358_rule JUSX-DM-000136 CCI-000197 MEDIUM For local accounts using password authentication (i.e., the root account and the account of last resort) the Juniper SRX Services Gateway must use the SHA1 or later protocol for password authentication. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. The password format command is an optional co
    SV-223224r513361_rule JUSX-DM-000146 CCI-002890 HIGH For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an exter
    SV-223225r513364_rule JUSX-DM-000147 CCI-002890 MEDIUM For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications. To protect the integrity of nonlocal maintenance sessions, SSHv2 with MAC algorithms for integrity checking must be configured. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network,
    SV-223226r513367_rule JUSX-DM-000149 CCI-003123 HIGH For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating throu
    SV-223227r513370_rule JUSX-DM-000150 CCI-003123 MEDIUM For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configured SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. To protect the confidentiality of nonlocal maintenance sessions when using SSH communications, SSHv2, AES ciphers, and key-exchange commands are configured. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals com
    SV-223228r513373_rule JUSX-DM-000152 CCI-003123 MEDIUM For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured. Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in routing network traffic. It will only support device manag
    SV-223229r513376_rule JUSX-DM-000153 CCI-000879 MEDIUM The Juniper SRX Services Gateway must immediately terminate SSH network connections when the user logs off, the session abnormally terminates, or an upstream link from the managed device goes down. This setting frees device resources and mitigates the risk of an unauthorized user gaining access to an open idle session. When sessions are terminated by a normal administrator log off, the Juniper SRX makes the current contents unreadable and no user
    SV-223230r513379_rule JUSX-DM-000154 CCI-000879 LOW The Juniper SRX Services Gateway must terminate the console session when the serial cable connected to the console port is unplugged. If a device management session or connection remains open after management is completed, it may be hijacked by an attacker and used to compromise or damage the network device.
    SV-223231r539622_rule JUSX-DM-000156 CCI-001133 MEDIUM The Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session. Quickly terminating an idle session also frees up resources. This requirement does not mean that
    SV-223232r539622_rule JUSX-DM-000157 CCI-001133 MEDIUM The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded. Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker. The keep-alive messages and the interval between each message are used to force the system to disconnect a user that has lost netw
    SV-223233r513388_rule JUSX-DM-000162 CCI-002385 MEDIUM The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Juniper SRX uses the system commands, system internet-options, and scr
    SV-223234r513391_rule JUSX-DM-000163 CCI-002385 MEDIUM The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access. The rate-limit command limits the number of SSH session attempts allowed per minute which helps limit an attacker's ability to perform DoS attacks. The rate limit should be as restrictive as operationally practical. Juniper Networks recommends a best pra
    SV-223235r513394_rule JUSX-DM-000164 CCI-002385 LOW The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself. Service redundancy, may reduce the susceptibility to some DoS attacks. Organizations must consider the need for service redundancy in accordance with DoD policy. If service redundancy is required then this technical control is applicable. The Juniper SR
    SV-223236r513397_rule JUSX-DM-000166 CCI-000366 MEDIUM The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD. Earlier versions of Junos may have reached the end of life cycle support by the vendor. Junos 12.1X46 is not a UC APL certified version, while 12.1X46 is UC APL Certified. The SRX with Junos 12.1X46 has been NIAP certified as a firewall and VPN. Junos 12.
    SV-223237r513400_rule JUSX-DM-000167 CCI-000382 HIGH For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web. If unsecured functions (lacking FIPS-validated cryptographic mechanisms) are used for management sessions, the contents of those sessions are susceptible to manipulation, potentially allowing alteration and hijacking. J-Web (configured using the system s
    SV-229014r518220_rule JUSX-DM-000007 CCI-000169 MEDIUM The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). Conditions or trigger
    SV-229015r518223_rule JUSX-DM-000019 CCI-000171 MEDIUM For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created. An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs
    SV-229016r518226_rule JUSX-DM-000020 CCI-000139 MEDIUM The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified. An authorized insider or individual who maliciously modifies a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occur
    SV-229017r518229_rule JUSX-DM-000021 CCI-000140 MEDIUM The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled. An authorized insider or individual who maliciously disables a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occur
    SV-229018r518232_rule JUSX-DM-000022 CCI-000366 MEDIUM The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted. An authorized insider or individual who maliciously delete a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs
    SV-229019r518235_rule JUSX-DM-000024 CCI-000366 MEDIUM The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. Al
    SV-229021r518241_rule JUSX-DM-000039 CCI-000366 LOW The Juniper SRX Services Gateway must allow only the ISSM (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-229022r518244_rule JUSX-DM-000060 CCI-000366 LOW For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without this alert, the security personnel may be unaware of an impending failure of the log capability and system operation may be adv
    SV-229023r518247_rule JUSX-DM-000061 CCI-000366 MEDIUM In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally. It is critical that when the network device is at risk of failing to process logs as required, it take action to mitigate the failure. Log processing failures include: software/hardware errors; failures in the log capturing mechanisms; and audit storage c
    SV-229024r518250_rule JUSX-DM-000096 CCI-000366 MEDIUM The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management. Centralized application (e.g., TACACS+, RADIUS) of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accoun
    SV-229025r518253_rule JUSX-DM-000097 CCI-000366 HIGH The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organiza
    SV-229026r518256_rule JUSX-DM-000098 CCI-000366 LOW The Juniper SRX Services Gateway must specify the order in which authentication servers are used. Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These commands also ensure that a default method or order will not
    SV-229027r518259_rule JUSX-DM-000099 CCI-000366 LOW The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum. The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the net
    SV-229028r518262_rule JUSX-DM-000106 CCI-000366 MEDIUM The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected. Component (e.g., chassis, file storage, file corruption) failure may cause the system to become unavailable, which could result in mission failure since the network would be operating without a critical security traffic inspection or access function. Ale
    SV-229029r518265_rule JUSX-DM-000165 CCI-000366 MEDIUM The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles). Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthori