The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66501	JUSX-DM-000110	SV-80991r1_rule		Medium

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; thus, a CAT 1 finding is allocated in CCI-000803. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The Juniper SRX supports multiple keys, multiple NTP servers, and different keys for each server; add the “key <key number>” parameter to the server statement to associate a key with a specific server.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; thus, a CAT 1 finding is allocated in CCI-000803. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The Juniper SRX supports multiple keys, multiple NTP servers, and different keys for each server; add the “key <key number>” parameter to the server statement to associate a key with a specific server.

STIG	Date
Juniper SRX SG NDM Security Technical Implementation Guide	2017-01-05

Details

Check Text ( C-67147r1_chk )
Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the NTP configuration is not configured to use authentication, this is a finding.

Fix Text (F-72577r1_fix)
The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys. set system ntp authentication-key 1 type md5 set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87" set system ntp authentication-key 2 type md5 set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50" set system ntp server key 1 set system ntp server prefer set system ntp server key 2 set system ntp trusted-key 1 set system ntp trusted-key 2

Fix Text (F-72577r1_fix)

The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys.

set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87"
set system ntp authentication-key 2 type md5
set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50"
set system ntp server key 1
set system ntp server prefer
set system ntp server key 2
set system ntp trusted-key 1
set system ntp trusted-key 2