| V-223237 | High | For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web. | If unsecured functions (lacking FIPS-validated cryptographic mechanisms) are used for management sessions, the contents of those sessions are susceptible to manipulation, potentially allowing... |
| V-223211 | High | If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3. | To prevent non-secure protocol communications with the organization's local SNMPv3 services, the SNMP client on the Juniper SRX must be configured for proper identification and strong... |
| V-229025 | High | The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat.... |
| V-223226 | High | For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Nonlocal maintenance and diagnostic activities are... |
| V-223224 | High | For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Nonlocal maintenance and diagnostic activities are those activities conducted by... |
| V-229017 | Medium | The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled. | An authorized insider or individual who maliciously disables a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an... |
| V-229016 | Medium | The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified. | An authorized insider or individual who maliciously modifies a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an... |
| V-229015 | Medium | For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created. | An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an... |
| V-229014 | Medium | The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. | Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications... |
| V-229019 | Medium | The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions. | In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the... |
| V-229018 | Medium | The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted. | An authorized insider or individual who maliciously delete a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an... |
| V-223183 | Medium | For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events. | When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required.... |
| V-223182 | Medium | For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events. | Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to... |
| V-223181 | Medium | For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events. | Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account.... |
| V-223186 | Medium | The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users. | To mitigate the risk of unauthorized privileged access to the device, administrators must be assigned only the privileges needed to perform the tasked assigned to their roles.
Although use of an... |
| V-223185 | Medium | The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to... |
| V-223184 | Medium | For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events. | Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures... |
| V-223231 | Medium | The Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session. Quickly terminating an idle session... |
| V-223233 | Medium | The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Juniper SRX... |
| V-223236 | Medium | The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD. | Earlier versions of Junos may have reached the end of life cycle support by the vendor. Junos 12.1X46 is not a UC APL certified version, while 12.1X46 is UC APL Certified. The SRX with Junos... |
| V-223213 | Medium | The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account. | Restricting the privilege to create a UNIX-level shell limits access to this powerful function. System administrators, regardless of their other permissions, will need to also know the root... |
| V-223212 | Medium | The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account. | Since the identity of the root account is well-known for systems based upon Linux or UNIX and this account does not have a setting to limit access attempts, there is risk of a brute force attack... |
| V-223210 | Medium | The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-223217 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The shorter the password, the lower the number of... |
| V-223216 | Medium | The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-223215 | Medium | The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort. | Without centralized management, credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in... |
| V-223214 | Medium | The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access. | Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any... |
| V-223232 | Medium | The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded. | Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker.
The keep-alive messages and the interval between each message are used... |
| V-223219 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-223218 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-223234 | Medium | The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access. | The rate-limit command limits the number of SSH session attempts allowed per minute which helps limit an attacker's ability to perform DoS attacks. The rate limit should be as restrictive as... |
| V-229028 | Medium | The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected. | Component (e.g., chassis, file storage, file corruption) failure may cause the system to become unavailable, which could result in mission failure since the network would be operating without a... |
| V-229029 | Medium | The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles). | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account... |
| V-229023 | Medium | In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally. | It is critical that when the network device is at risk of failing to process logs as required, it take action to mitigate the failure. Log processing failures include: software/hardware errors;... |
| V-229024 | Medium | The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management. | Centralized application (e.g., TACACS+, RADIUS) of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against... |
| V-223201 | Medium | The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. UTC is normally used in DoD; however, Greenwich Mean Time (GMT) may... |
| V-223203 | Medium | If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface. | The loopback interface is a logical interface and has no physical port. Since the interface and addresses ranges are well-known, this port must be filtered to protect the Juniper SRX from attacks. |
| V-223202 | Medium | The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates. | Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code... |
| V-223198 | Medium | For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues. | In order to ensure network devices have a sufficient storage capacity in which to write the logs, they need to be able to allocate audit record storage capacity. The task of allocating audit... |
| V-223199 | Medium | The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without an immediate alert for critical system issues, security personnel... |
| V-223205 | Medium | The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on log events and other... |
| V-223227 | Medium | For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configured SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. | To protect the confidentiality of nonlocal maintenance sessions when using SSH communications, SSHv2, AES ciphers, and key-exchange commands are configured.
Nonlocal maintenance and diagnostic... |
| V-223225 | Medium | For nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications. | To protect the integrity of nonlocal maintenance sessions, SSHv2 with MAC algorithms for integrity checking must be configured.
Nonlocal maintenance and diagnostic activities are those... |
| V-223222 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-223223 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort) the Juniper SRX Services Gateway must use the SHA1 or later protocol for password authentication. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily... |
| V-223206 | Medium | The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat.... |
| V-223207 | Medium | The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs.
The SRX generates a key-pair and a CSR. The CSR is sent... |
| V-223208 | Medium | The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-223209 | Medium | For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols. | If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking... |
| V-223221 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-223228 | Medium | For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured. | Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in... |
| V-223220 | Medium | For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-223180 | Low | The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH. | The connection-limit command limits the total number of concurrent SSH sessions. To help thwart brute force authentication attacks, the connection limit should be as restrictive as operationally... |
| V-223187 | Low | The Juniper SRX Services Gateway must generate a log event when privileged commands are executed. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious... |
| V-223189 | Low | The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-223188 | Low | For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Juniper SRX is unable to comply... |
| V-223235 | Low | The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself. | Service redundancy, may reduce the susceptibility to some DoS attacks.
Organizations must consider the need for service redundancy in accordance with DoD policy. If service redundancy is required... |
| V-229022 | Low | For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without this alert, the security personnel may be unaware of an impending... |
| V-229021 | Low | The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured... |
| V-229026 | Low | The Juniper SRX Services Gateway must specify the order in which authentication servers are used. | Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These... |
| V-229027 | Low | The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum. | The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic... |
| V-223191 | Low | The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur. | Without generating log records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
While the Juniper SRX... |
| V-223192 | Low | The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-223193 | Low | The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-223194 | Low | The Juniper SRX Services Gateway must generate log records when logon events occur. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-223195 | Low | The Juniper SRX Services Gateway must generate log records when privileged commands are executed. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-223196 | Low | The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an... |
| V-223197 | Low | The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if log records do not contain enough information.
Organizations consider limiting the additional audit information to only... |
| V-223204 | Low | The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more. | Backup of the configuration files allows recovery in case of corruption, misconfiguration, or catastrophic failure. The maximum number of rollbacks for the SRX is 50 while the default is 5 which... |
