The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-214687	JUSX-VN-000020	SV-214687r385516_rule		Medium

Description
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Network elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.

Description

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Network elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.

STIG	Date
Juniper SRX Services Gateway VPN Security Technical Implementation Guide	2021-03-25

Details

Check Text ( C-15888r297648_chk )
Verify IPsec is defined and configured using FIPS-complaint protocols. [edit] show security ipsec vpn If the IPSEC policy and VP are not configured to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.

Fix Text (F-15886r297649_fix)
After configuring the Internet Key Exchange (IKE) gateway and IPsec policy, the following commands configure an IPsec policy, enabling Perfect Forward Secrecy (PFS) using Diffie-Hellman group 14 and associating the IPsec proposal configured in the previous example. set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14 set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL The following commands define an IPsec VPN using a secure tunnel interface, specifying the IKE gateway information, IPsec policy, and tunnel establishment policy. Alternatively, administrators can configure on-traffic tunnel establishment. [edit] set security ipsec vpn VPN bind-interface st0.0 set security ipsec vpn VPN ike gateway IKE-PEER set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY set security ipsec vpn VPN establish-tunnels immediately

Fix Text (F-15886r297649_fix)

After configuring the Internet Key Exchange (IKE) gateway and IPsec policy, the following commands configure an IPsec policy, enabling Perfect Forward Secrecy (PFS) using Diffie-Hellman group
14 and associating the IPsec proposal configured in the previous example.

set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

The following commands define an IPsec VPN using a secure tunnel interface, specifying the IKE gateway information, IPsec policy, and tunnel establishment policy. Alternatively, administrators can configure on-traffic tunnel establishment.

[edit]
set security ipsec vpn VPN bind-interface st0.0
set security ipsec vpn VPN ike gateway IKE-PEER
set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN establish-tunnels immediately