UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper EX switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253903 JUEX-NM-000260 SV-253903r960993_rule Medium
Description
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
STIG Date
Juniper EX Series Switches Network Device Management Security Technical Implementation Guide 2024-06-20

Details

Check Text ( C-57355r843740_chk )
Determine if the network device implements replay-resistant authentication mechanisms for network access to privileged accounts. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server.

Verify SSH version 2 is configured for network (remote) access to privileged accounts.
[edit system services ssh]
protocol-version v2;

If the network device does not implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Fix Text (F-57306r843741_fix)
Configure the network device to implement replay-resistant authentication mechanisms for network access to privileged accounts.

set system services ssh protocol-version v2