UCF STIG Viewer Logo

Juniper SRX Services Gateway VPN Security Technical Implementation Guide


Overview

Date Finding Count (29)
2022-09-14 CAT I (High): 7 CAT II (Med): 21 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-214677 High The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
V-214673 High The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
V-214672 High The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
V-214679 High The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
V-214686 High The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
V-214690 High The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
V-214692 High The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.
V-214676 Medium The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
V-214675 Medium The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.
V-214674 Medium The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
V-214671 Medium The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.
V-214670 Medium The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less.
V-214678 Medium If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
V-214687 Medium The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
V-214684 Medium The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-214685 Medium The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-214682 Medium The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
V-214683 Medium The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
V-214680 Medium The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).
V-214681 Medium The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
V-214688 Medium The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-214668 Medium The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.
V-214669 Medium The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less.
V-214691 Medium The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
V-214693 Medium The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-214695 Medium The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.
V-214694 Medium The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-214696 Medium The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.
V-214689 Low The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.