← Back to Juniper SRX SG NDM Security Technical Implementation Guide

V-66603

CAT III (Low)

The Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself.

Rule ID

SV-81093r1_rule

STIG

Juniper SRX SG NDM Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-002385

Discussion

Service redundancy, may reduce the susceptibility to some DoS attacks. Organizations must consider the need for service redundancy in accordance with DoD policy. If service redundancy is required then this technical control is applicable. The Juniper SRX can configure your system to monitor the health of the interfaces belonging to a redundancy group.

Check Content

If service redundancy is not required by the organization's policy, this is not a finding.

Verify the configuration is working properly: 

[edit]
show chassis cluster interfaces command.

If service redundancy is not configured, this is a finding.

Fix Text

Interfaces can be monitored by a redundancy group for automatic failover to another node. Assign a weight to the interface to be monitored.

This configuration is an extremely complex configuration. Consult the vendor documentation.

Set the chassis cluster node ID and cluster ID. 
Configure the chassis cluster management interface.
Configure the chassis cluster fabric.
Configure the chassis cluster redundancy group 
Specify the interface to be monitored by a redundancy group. 

Specify the interface to be monitored by a redundancy group. Example:
[edit]
set chassis cluster redundancy-group 1 interface-monitor ge-6/0/2 weight 255