UCF STIG Viewer Logo

The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223216 JUSX-DM-000124 SV-223216r513337_rule Medium
Description
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. There are 2 approved methods for accessing the Juniper SRX which are, in order of preference, the SSH protocol and the console port.
STIG Date
Juniper SRX SG NDM Security Technical Implementation Guide 2021-03-25

Details

Check Text ( C-24889r513335_chk )
Verify SSH is configured to use a replay-resistant authentication mechanism.

[edit]
show system services ssh

If SSH is not configured to use the MAC authentication protocol, this is a finding.
Fix Text (F-24877r513336_fix)
Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza.

[edit]
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh macs hmac-sha1
set system services ssh macs hmac-sha1-96