| Finding ID |
Severity |
Title |
Description |
|
V-229025
|
High |
The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. |
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining... |
|
V-223237
|
High |
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web. |
If unsecured functions (lacking FIPS-validated cryptographic mechanisms) are used for management sessions, the contents of those sessions are susceptible to manipulation, potentially allowing alteration and hijacking.
J-Web (configured using the system services web-management option) does not meet the DoD requirement for management tools. It also does not work with all... |
|
V-223227
|
High |
The Juniper SRX Services Gateway must use SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions using SSH. |
To protect the confidentiality of nonlocal maintenance sessions when using SSH communications, SSHv2, AES ciphers, and key-exchange commands are configured.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network.
The SSHv2 protocol suite includes Layer 7 protocols such... |
|
V-223226
|
High |
The Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of nonlocal maintenance and diagnostic communications using SNMP. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network.
To protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption... |
|
V-223225
|
High |
The Juniper SRX Services Gateway must securely configure SSHv2 FIPS 140-2/140-3 validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions. |
To protect the integrity of nonlocal maintenance sessions, SSHv2 with HMAC algorithms for integrity checking must be configured.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. The SSHv2 protocol suite includes Layer 7 protocols such as SCP... |
|
V-223224
|
High |
For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA256 or higher to protect the integrity of maintenance and diagnostic communications. |
Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network.
The Juniper SRX allows the use of SNMP to monitor or query the device in support... |
|
V-223223
|
High |
The Juniper SRX Services Gateway must use the SHA256 or later protocol for password authentication for local accounts using password authentication (i.e., the root account and the account of last resort). |
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. |
|
V-223211
|
High |
The Juniper SRX Services Gateway must use and securely configure SNMPv3 if SNMP is enabled. |
To prevent nonsecure protocol communications with the organization's local SNMPv3 services, the SNMP client on the Juniper SRX must be configured for proper identification and strong cryptographically based protocol for authentication.
SNMPv3 defines a user-based security model (USM) and a view-based access control model (VACM). SNMPv3 USM provides data integrity,... |
|
V-229029
|
Medium |
The Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles). |
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state. Additionally, sensitive account information must not be revealed through error messages to unauthorized personnel or their designated representatives.
Although, based on policy, administrator accounts must be... |
|
V-229028
|
Medium |
The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected. |
Component (e.g., chassis, file storage, file corruption) failure may cause the system to become unavailable, which could result in mission failure since the network would be operating without a critical security traffic inspection or access function.
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology... |
|
V-229024
|
Medium |
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management. |
Centralized application (e.g., TACACS+, RADIUS) of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative... |
|
V-229023
|
Medium |
In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally. |
It is critical that when the network device is at risk of failing to process logs as required, it take action to mitigate the failure. Log processing failures include: software/hardware errors; failures in the log capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to log failure depend... |
|
V-229019
|
Medium |
The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions. |
In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.
Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP... |
|
V-229018
|
Medium |
The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted. |
An authorized insider or individual who maliciously delete a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously deleted.
Automated... |
|
V-229017
|
Medium |
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled. |
An authorized insider or individual who maliciously disables a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously disabled.
Automated... |
|
V-229016
|
Medium |
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified. |
An authorized insider or individual who maliciously modifies a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously modified.
Automated... |
|
V-229015
|
Medium |
For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created. |
An authorized insider or individual who maliciously creates a local account could gain immediate access from a remote location to privileged information on a critical security device. Sending an alert to the administrators and ISSO when this action occurs greatly reduces the risk that accounts will be surreptitiously created.
Automated... |
|
V-229014
|
Medium |
The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. |
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect).
Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of... |
|
V-223236
|
Medium |
The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD. |
Earlier versions of Junos may have reached the end of life cycle support by the vendor. Junos 12.1X46 is not a UC APL certified version, while 12.1X46 is UC APL Certified. The SRX with Junos 12.1X46 has been NIAP certified as a firewall and VPN. Junos 12.1X46 contains a number... |
|
V-223234
|
Medium |
The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access. |
The rate-limit command limits the number of SSH session attempts allowed per minute which helps limit an attacker's ability to perform DoS attacks. The rate limit should be as restrictive as operationally practical.
Juniper Networks recommends a best practice of 4 for the rate limit, however the limit should be... |
|
V-223233
|
Medium |
The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options. |
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
Juniper SRX uses the system commands, system internet-options, and screens to mitigate the impact of DoS attacks on device availability. |
|
V-223232
|
Medium |
The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded. |
Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker.
The keep-alive messages and the interval between each message are used to force the system to disconnect a user that has lost network connectivity to the device. This differs from inactivity timeouts... |
|
V-223231
|
Medium |
The Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session. Quickly terminating an idle session also frees up resources.
This requirement does not mean that the device terminates all sessions or network access; it only ends... |
|
V-223228
|
Medium |
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured. |
Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in routing network traffic. It will only support device management traffic.
The host-inbound-traffic feature of the SRX is an additional layer of... |
|
V-223222
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-223221
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-223220
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lowercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-223219
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one uppercase character be used. |
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-223218
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets. |
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
The password change-type command specifies whether a minimum number of character-sets or... |
|
V-223217
|
Medium |
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps... |
|
V-223216
|
Medium |
The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts. |
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by... |
|
V-223215
|
Medium |
The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort. |
Without centralized management, credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable... |
|
V-223214
|
Medium |
The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access. |
Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing unauthorized access. |
|
V-223213
|
Medium |
The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account. |
Restricting the privilege to create a UNIX-level shell limits access to this powerful function. System administrators, regardless of their other permissions, will need to also know the root password for this access, thus limiting the possibility of malicious or accidental circumvention of security controls. |
|
V-223212
|
Medium |
The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account. |
Since the identity of the root account is well-known for systems based upon Linux or UNIX and this account does not have a setting to limit access attempts, there is risk of a brute force attack on the password. Root access would give superuser access to an attacker. Preventing attackers... |
|
V-223209
|
Medium |
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols. |
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet)... |
|
V-223208
|
Medium |
The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.
The control plane is responsible for operating most of the system services on the... |
|
V-223207
|
Medium |
The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates. |
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs.
The SRX generates a key-pair and a CSR. The CSR is sent to the approved Certification Authority (CA), who signs it and returns it as a certificate. That certificate is... |
|
V-223206
|
Medium |
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access. |
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is a particularly important protection against the insider threat. Audit records for administrator accounts access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining... |
|
V-223205
|
Medium |
The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network. |
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on log events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time... |
|
V-223203
|
Medium |
If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface. |
The loopback interface is a logical interface and has no physical port. Since the interface and addresses ranges are well-known, this port must be filtered to protect the Juniper SRX from attacks. |
|
V-223202
|
Medium |
The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates. |
Allowing anyone to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. This requirement applies to code changes and upgrades for all network devices.
For example audit admins and the account of last resort are not allowed to perform... |
|
V-223201
|
Medium |
The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC). |
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. UTC is normally used in DoD; however, Greenwich Mean Time (GMT) may be used if needed for mission requirements. |
|
V-223199
|
Medium |
The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without an immediate alert for critical system issues, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely... |
|
V-223198
|
Medium |
For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues. |
In order to ensure network devices have a sufficient storage capacity in which to write the logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The amount allocated... |
|
V-223186
|
Medium |
The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users. |
To mitigate the risk of unauthorized privileged access to the device, administrators must be assigned only the privileges needed to perform the tasked assigned to their roles.
Although use of an AAA server is required for non-local access for device management, the SRX must also be configured to implement the... |
|
V-223185
|
Medium |
The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled. |
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A... |
|
V-223184
|
Medium |
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events. |
Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical... |
|
V-223183
|
Medium |
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events. |
When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
An AAA server is required for account... |
|
V-223182
|
Medium |
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events. |
Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to mitigate this risk. Auditing account modification events provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel... |
|
V-223181
|
Medium |
For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events. |
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account... |
|
V-229027
|
Low |
The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum. |
The network device must automatically detect the installation of unauthorized software or hardware onto the device itself. Monitoring may be accomplished on an ongoing basis or by periodic monitoring. Automated mechanisms can be implemented within the network device and/or in another separate information system or device. If the addition of... |
|
V-229026
|
Low |
The Juniper SRX Services Gateway must specify the order in which authentication servers are used. |
Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These commands also ensure that a default method or order will not be used by the device (e.g., local passwords).
The Juniper SRX must specify... |
|
V-229022
|
Low |
For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Without this alert, the security personnel may be unaware of an impending failure of the log capability and system operation may be adversely affected.
Alerts provide organizations... |
|
V-229021
|
Low |
The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the log. Misconfigured audits may also make it more difficult to establish, correlate, and... |
|
V-223235
|
Low |
The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself. |
Service redundancy, may reduce the susceptibility to some DoS attacks.
Organizations must consider the need for service redundancy in accordance with DoD policy. If service redundancy is required then this technical control is applicable.
The Juniper SRX can configure your system to monitor the health of the interfaces belonging to... |
|
V-223204
|
Low |
The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more. |
Backup of the configuration files allows recovery in case of corruption, misconfiguration, or catastrophic failure. The maximum number of rollbacks for the SRX is 50 while the default is 5 which is recommended as a best practice. Increasing this backup configuration number will result in increased disk usage and increase... |
|
V-223197
|
Low |
The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands. |
Reconstruction of harmful events or forensic analysis is not possible if log records do not contain enough information.
Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the... |
|
V-223196
|
Low |
The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
|
V-223195
|
Low |
The Juniper SRX Services Gateway must generate log records when privileged commands are executed. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
|
V-223194
|
Low |
The Juniper SRX Services Gateway must generate log records when logon events occur. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
|
V-223193
|
Low |
The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
|
V-223192
|
Low |
The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges. |
Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
|
V-223191
|
Low |
The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur. |
Without generating log records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
While the Juniper SRX inherently has the capability to generate log records, by default only the high facility levels are captured by default to local... |
|
V-223189
|
Low |
The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access. |
Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users.
The Standard... |
|
V-223188
|
Low |
For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Juniper SRX is unable to comply with the 15-minute time period part of this control. |
|
V-223187
|
Low |
The Juniper SRX Services Gateway must generate a log event when privileged commands are executed. |
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and... |
|
V-223180
|
Low |
The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH. |
The connection-limit command limits the total number of concurrent SSH sessions. To help thwart brute force authentication attacks, the connection limit should be as restrictive as operationally practical
Juniper Networks recommends the best practice of setting 10 (or less) for the connection-limit.
This configuration will permit up to 10 users... |
