UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.


Overview

Finding ID Version Rule ID IA Controls Severity
V-66323 JUSX-AG-000120 SV-80813r2_rule High
Description
If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Juniper SRX Firewall DoS protections can be configured by either using a Screen or within the global flow options. Screens, also known as IDS-options, block various layer 3 and 4 attacks. Screen objects are configured with various screen-specific options and then assigned to a zone. The Juniper SRX can be configured with Screens to protect against the following statistics-based DoS attacks: IP sweeps, port scans, and flood attacks.
STIG Date
Juniper SRX SG ALG Security Technical Implementation Guide 2018-04-04

Details

Check Text ( C-66969r1_chk )
Run the following command to see the screen options currently configured:

[edit]
show security screen ids-option
show security zone match "screen"

If security screens are not configured or if the security zone is not configured with screen options, this is a finding.
Fix Text (F-72399r3_fix)
The following example commands configure security screens under a profile named untrust-screen. Screen options, with configurable thresholds may be customized to minimize/prevent operational impact on traffic performance.

[edit]
set security screen ids-option