Juniper SRX SG VPN Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2017-10-03

Updated At: 2018-09-23 19:14:03

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-80511r1_rule JUSX-VN-000005 CCI-000068 HIGH The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) encryption is critical to ensuring the privacy of the IPsec session; it is
    SV-81107r1_rule JUSX-VN-000006 CCI-000068 HIGH The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) algorithm is critical to ensuring the privacy of the IKE session responsibl
    SV-81109r1_rule JUSX-VN-000010 CCI-000366 HIGH The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. An IPsec SA is established using either Internet K
    SV-81111r1_rule JUSX-VN-000012 CCI-000366 HIGH The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. To achieve this, a list of certif
    SV-81113r1_rule JUSX-VN-000019 CCI-000766 HIGH The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentica
    SV-81115r1_rule JUSX-VN-000023 CCI-002450 HIGH The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-81119r1_rule JUSX-VN-000001 CCI-000054 MEDIUM The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirem
    SV-81121r1_rule JUSX-VN-000002 CCI-002361 MEDIUM The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less. The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA
    SV-81131r1_rule JUSX-VN-000025 CCI-001184 HIGH The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne
    SV-81133r1_rule JUSX-VN-000003 CCI-002361 MEDIUM The Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less. When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for ot
    SV-81135r1_rule JUSX-VN-000004 CCI-000067 MEDIUM The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best. Remote access is access to DoD non-public
    SV-81137r1_rule JUSX-VN-000007 CCI-000068 MEDIUM The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group. Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH ke
    SV-81139r2_rule JUSX-VN-000008 CCI-001453 MEDIUM The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions. Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access VPN provides access to DoD non-public information systems by an authorized user (or an information system) communicatin
    SV-81141r1_rule JUSX-VN-000009 CCI-001414 MEDIUM The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best. Remote access is access to DoD non-public
    SV-81143r1_rule JUSX-VN-000011 CCI-000366 MEDIUM If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best. Remote access is access to DoD non-public
    SV-81145r1_rule JUSX-VN-000013 CCI-000366 MEDIUM The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications. The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey
    SV-81147r1_rule JUSX-VN-000014 CCI-000366 MEDIUM The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header
    SV-81149r1_rule JUSX-VN-000015 CCI-000381 MEDIUM The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are requ
    SV-81151r1_rule JUSX-VN-000016 CCI-000382 MEDIUM The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.
    SV-81153r1_rule JUSX-VN-000017 CCI-000382 MEDIUM The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-81155r1_rule JUSX-VN-000018 CCI-000764 MEDIUM The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the org
    SV-81157r1_rule JUSX-VN-000020 CCI-000803 MEDIUM The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Network elements utilizing encryption are re
    SV-81159r1_rule JUSX-VN-000021 CCI-000804 MEDIUM The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. This requirement on
    SV-81161r1_rule JUSX-VN-000024 CCI-002450 MEDIUM The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides
    SV-81163r1_rule JUSX-VN-000026 CCI-002470 MEDIUM The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-81165r1_rule JUSX-VN-000027 CCI-002403 MEDIUM The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Access control policies and access c
    SV-81167r1_rule JUSX-VN-000028 CCI-002397 MEDIUM The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. A VPN hardware or software client with split tunneling enabled provides an unsecured b
    SV-81169r1_rule JUSX-VN-000031 CCI-001942 MEDIUM The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet. The SRX adds a sequence number to the ESP encapsulation which is verified by the VPN peer so packets are recei
    SV-81171r1_rule JUSX-VN-000022 CCI-001133 LOW The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormall