UCF STIG Viewer Logo

Juniper SRX SG VPN Security Technical Implementation Guide


Overview

Date Finding Count (29)
2017-10-03 CAT I (High): 7 CAT II (Med): 21 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-66625 High The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
V-66619 High The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
V-66617 High The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
V-66021 High The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
V-66641 High The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.
V-66623 High The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
V-66621 High The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
V-66665 Medium The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-66653 Medium If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
V-66651 Medium The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
V-66657 Medium The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
V-66655 Medium The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).
V-66675 Medium The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.
V-66659 Medium The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
V-66671 Medium The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
V-66673 Medium The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-66631 Medium The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less.
V-66643 Medium The Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less.
V-66679 Medium The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.
V-66645 Medium The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.
V-66669 Medium The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-66647 Medium The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
V-66649 Medium The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.
V-66661 Medium The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
V-66667 Medium The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
V-66629 Medium The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.
V-66663 Medium The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-66677 Medium The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.
V-66681 Low The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.