| Finding ID |
Severity |
Title |
Description |
|
V-214692
|
High |
The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. |
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and... |
|
V-214690
|
High |
The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by... |
|
V-214686
|
High |
The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. |
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.
Factors include:
(i) Something you... |
|
V-214679
|
High |
The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. |
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.
To achieve this, a list of certificates that have been revoked, known as a Certificate... |
|
V-214677
|
High |
The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). |
Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys.
An IPsec SA is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations... |
|
V-214674
|
High |
The Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher. |
Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from... |
|
V-214673
|
High |
The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) algorithm is critical to ensuring the privacy of the IKE session responsible for establishing the security association and key exchange for an IPsec tunnel. AES is used for... |
|
V-214672
|
High |
The Juniper SRX Services Gateway VPN must use AES256 for the IPsec proposal to protect the confidentiality of remote access sessions. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) encryption is critical to ensuring the privacy of the IPsec session; it is imperative that AES is used for encryption operations.
The CNSSP 15 compliant algorithms recommended by... |
|
V-214696
|
Medium |
The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. |
Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet.
The SRX adds a sequence number to the ESP encapsulation which is verified by the VPN peer so packets are received within a correct sequence. This will... |
|
V-214695
|
Medium |
The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. |
Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
A VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has... |
|
V-214694
|
Medium |
The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.
Access control policies and access control lists implemented on devices, such as firewalls, that control the flow of network... |
|
V-214693
|
Medium |
The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. |
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.... |
|
V-214691
|
Medium |
The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
|
V-214689
|
Medium |
The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. |
Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. IKE Dead Peer Detection (DPD) is a protocol that verifies the availability of IPsec peer devices by sending encrypted IKE Phase 1 notification payloads to peers.
Note: For dynamic (remote access) VPN, the TCP keep-alive for remote access... |
|
V-214688
|
Medium |
The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure.
This requirement only applies to components where this is specific to the function of the device or has the... |
|
V-214685
|
Medium |
The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of... |
|
V-214684
|
Medium |
The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
DoD continually assesses the ports, protocols, and services that can be used... |
|
V-214683
|
Medium |
The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. |
Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms. |
|
V-214682
|
Medium |
The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. |
Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each... |
|
V-214681
|
Medium |
The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. |
ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information.
ESP can be deployed in either transport or tunnel mode. Transport mode is used... |
|
V-214680
|
Medium |
The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). |
PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
The phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2... |
|
V-214678
|
Medium |
If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. |
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.
Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an... |
|
V-214676
|
Medium |
The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. |
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.
Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an... |
|
V-214675
|
Medium |
The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions. |
Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. |
|
V-214671
|
Medium |
The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. |
Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.
Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an... |
|
V-214670
|
Medium |
The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less. |
When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet... |
|
V-214669
|
Medium |
The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less. |
The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use... |
|
V-214668
|
Medium |
The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. |
Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does... |
