| V-66625 | High | The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher... |
| V-66619 | High | The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption... |
| V-66617 | High | The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) algorithm is... |
| V-66021 | High | The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) encryption is... |
| V-66641 | High | The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications... |
| V-66623 | High | The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor... |
| V-66621 | High | The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to... |
| V-66665 | Medium | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-66653 | Medium | If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management... |
| V-66651 | Medium | The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management... |
| V-66657 | Medium | The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. | ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for... |
| V-66655 | Medium | The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The phase 2 (Quick Mode) Security Association... |
| V-66675 | Medium | The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth... |
| V-66659 | Medium | The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. | Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The... |
| V-66671 | Medium | The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher... |
| V-66673 | Medium | The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient... |
| V-66631 | Medium | The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less. | The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime... |
| V-66643 | Medium | The Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less. | When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could... |
| V-66679 | Medium | The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. | Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet.
The SRX adds a sequence number to the ESP... |
| V-66645 | Medium | The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management... |
| V-66669 | Medium | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides opportunity for intruders to compromise... |
| V-66647 | Medium | The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group. | Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of... |
| V-66649 | Medium | The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions. | Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access VPN provides access to DoD non-public information systems by... |
| V-66661 | Medium | The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. | Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms. |
| V-66667 | Medium | The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be... |
| V-66629 | Medium | The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of allowed users and sessions per user is... |
| V-66663 | Medium | The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must... |
| V-66677 | Medium | The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
A VPN hardware or software... |
| V-66681 | Low | The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. | Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If... |
