UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223228 JUSX-DM-000152 SV-223228r961557_rule Medium
Description
Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in routing network traffic. It will only support device management traffic. The host-inbound-traffic feature of the SRX is an additional layer of security for system services. This function can be configured on either a per zone or a per interface basis within each individual security zone. By default, a security zone has all system services disabled, which means that it will not accept any inbound management or protocol requests on the control plane without explicitly enabling the service at either the interface or zone in the security zone stanzas.
STIG Date
Juniper SRX SG NDM Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-24901r513371_chk )
Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones.

[edit]
show security zones functional-zone management

If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.
Fix Text (F-24889r513372_fix)
Remove host-inbound-traffic systems-services option from zones not authorized for management traffic.

Remove unauthorized protocols (e.g., HTTP, HTTPS) from management zones that are configured to allow host-inbound-traffic system-services.