13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper SRX SG NDM Security Technical Implementation Guide"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jul 26, 2019"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"S-db52020ecf6f80aa15e2d982b2fcecfcc9108a80","children":"S-db52020ecf6f80aa15e2d982b2fcecfcc9108a80"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":72}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",5]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",49]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",18]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20NDM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20NDM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20NDM%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L1e",null,{"checks":[{"id":"6326cf6b-01a5-4656-bbef-4a4815872cce","vulnId":"V-66015","severity":"medium","ruleTitle":"If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.","description":"The loopback interface is a logical interface and has no physical port. Since the interface and addresses ranges are well-known, this port must be filtered to protect the Juniper SRX from attacks.","checkContent":"If the loopback interface is not used, this is not applicable.\n\nVerify the loopback interface is protected by firewall filters.\n\n[edit]\nshow interfaces lo0\n\nIf the loopback interface is not configured with IPv6 and IPv4 firewall filters, this is a finding.","fixText":"If the loopback interface is used, configure firewall filters. The following is an example of configuring a loopback address with filters on the device. It shows the format of both IPv4 and IPv6 addresses being applied to the interface. The first two commands show firewall filters being applied to the interface.\n\n[edit]\nset interfaces lo0 unit 0 family inet filter input protect_re\nset interfaces lo0 unit 0 family inet6 filter input protect_re-v6\nset interfaces lo0 unit 0 family inet address 1.1.1.250/32\nset interfaces lo0 unit 0 family inet6 address 2100::250/128"},{"id":"a497828f-17b8-47a5-8545-8104459345f7","vulnId":"V-66443","severity":"medium","ruleTitle":"For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.","description":"$1f","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system is not configured to display account creation actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.","fixText":"Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message.\n\nThe following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). \n\n[edit]\nset system syslog users * change-log \nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"57ba97a5-b555-4234-86e4-10c1099c5711","vulnId":"V-66445","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.","description":"$20","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system does not display account modification actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.","fixText":"Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message.\n\nThe following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). \n\n[edit]\nset system syslog users * change-log \nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"1eea01a9-9a0e-43a2-8652-7867eaae62cd","vulnId":"V-66447","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.","description":"$21","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system is not configured to display account deletion actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.","fixText":"The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). \n\n[edit]\nset system syslog users * change-log \nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"5988c28d-2d1d-4bac-8273-72917364a803","vulnId":"V-66449","severity":"high","ruleTitle":"The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.","description":"$22","checkContent":"Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+. \n\nFrom the CLI operational mode enter: \nshow system radius-server \nor \nshow system tacplus-server\n\nIf the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.","fixText":"Configure the Juniper SRX to forward logon requests to a RADIUS or TACACS+. Remove local users configured on the device (CCI-000213) so the AAA server cannot default to using a local account. \n\n[edit]\nset system tacplus-server address port 1812 secret \n\nor \n\n[edit]\nset system radius-server address port 1812 secret \n\nNote: DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device."},{"id":"38b116b6-7e07-4b3f-83e0-c20be333c011","vulnId":"V-66451","severity":"high","ruleTitle":"If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.","description":"$23","checkContent":"Verify SNMPv3 is enabled and configured.\n\n[edit]\nshow snmp\n\nIf an SNMP stanza does not exist, this is not a finding.\n\nIf SNMPv3 is not configured to meet DoD requirements, this is a finding.\n\nIf versions earlier than SNMPv3 are enabled, this is a finding.","fixText":"$24"},{"id":"8926c746-110d-4f89-9217-fd655cd3c037","vulnId":"V-66453","severity":"high","ruleTitle":"For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n \nThe Juniper SRX allows the use of SNMP to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.","checkContent":"Verify SNMP is configured for version 3.\n\n[edit]\nshow snmp v3\n \nIf SNMPv3 is not configured for version 3 using SHA, this is a finding.","fixText":"Configure snmp to use version 3 with SHA authentication.\n\n[edit]\nset snmp v3 usm local-engine user authentication-sha"},{"id":"6b61a8e7-8ceb-419c-bd2c-2bbf7e40dfa8","vulnId":"V-66455","severity":"high","ruleTitle":"For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. \n \nTo protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption to must be configured to provide confidentiality. The Juniper SRX allows the use of SNMPv3 to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.","checkContent":"Verify SNMPv3 is configured with privacy options.\n\n[edit]\nshow snmp v3\n \nIf SNMPv3, AES encryption, and other privacy options are not configured, this is a finding.","fixText":"Configure SNMP to use version 3 with privacy options. The following is an example.\n\n[edit]\nset snmp location \nset snmp v3 usm local-engine user privacy-AES128\nset snmp v3 vacm security-to-group security-model usm security-name group \nset snmp v3 vacm access group default-context-prefix security-model usm\nsecurity-level privacy read-view all\nset snmp v3 vacm access group default-context-prefix security-model usm\nsecurity-level privacy notify-view all"},{"id":"a686f5b8-6f62-46e9-bf43-b29ce8f97abc","vulnId":"V-66457","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.","description":"Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types.\n\nThe Juniper SRX can be configured to limit login times or to logout users after a certain time period if desired by the organization. These setting are configured as options on the login class to which they apply.","checkContent":"If the organization does not have a requirement for triggered, automated logout, this is not a finding.\n\nObtain a list of organization-defined triggered, automated requirements that are required for the Juniper SRX. \n\nTo verify configuration of special user access controls.\n\n[edit]\nshow system login\n\nView time-based or other triggers which are configured to control automated logout.\n\nIf the organization has documented requirements for triggered, automated termination and they are not configured, this is a finding.","fixText":"To configure user access on specific days of the week for a specified duration, include the allowed-days, access-start, and access-end statements. The following is an example of a configuration for a class which would automatically log out users. Consult the Juniper SRX documentation for other options.\n\n[edit system login]\nclass class-name allowed-days [ days-of-the-week ];\nclass class-name access-start HH:MM;\nclass class-name access-end HH:MM;"},{"id":"cd85be33-fee3-468a-8ac8-09017079ce29","vulnId":"V-66459","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.","description":"Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"384aab05-e69c-4695-a9eb-25ad3997b806","vulnId":"V-66461","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events.","description":"Upon gaining access to a network device, an attacker will often first attempt to modify existing accounts to increase/decrease privileges. Notification of account modification events help to mitigate this risk. Auditing account modification events provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"18774b40-aa85-4c20-91aa-fe2475478f52","vulnId":"V-66463","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.","description":"When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized, active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"e8cd2841-9bf5-4947-bfcf-d4a49cc5bb4f","vulnId":"V-66465","severity":"medium","ruleTitle":"For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events.","description":"Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.\n\nAn AAA server is required for account management in accordance with CCI-000370. Only a single account of last resort is permitted on the local device. However, since it is still possible for administrators to create local accounts either maliciously or to support mission needs, the SRX must be configured to log account management events.\n\nTo log local account management events, ensure at least one external syslog server is configured to log facility any or facility change-log, and severity info or severity any.","checkContent":"Verify the device logs change-log events of severity info or any to an external syslog server.\n\n[edit]\nshow system syslog\n\nhost {\n any ;\n source-address ;\n}\n\n-OR-\n\nhost {\n change-log ;\n source-address ;\n}\n\nIf an external syslog host is not configured to log facility change-log severity , or configured for facility any severity , this is a finding.","fixText":"Configure at least one external syslog host is configured to log facility change-log or any, and severity info or any. \n\n[edit system syslog]\nset host any \n\n -OR-\n\n[edit]\nset host change-log "},{"id":"9ab8e597-d317-4a2b-9620-e5594e3b857d","vulnId":"V-66467","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.","description":"$25","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system does not display account disabling actions on the management console and generate an event log message to the Syslog server and a local file, this is a finding.","fixText":"Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message.\n\nThe following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system).\n\n[edit]\nset system syslog users * change-log \nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"cd547ff3-dbad-4749-aa65-707965f1344d","vulnId":"V-66469","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.","description":"Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nAccounts can be disabled by configuring the account with the build-in login class \"unauthorized\". When the command is reissued with a different login class, the account is enabled.","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system is not configured to generate a log record when account enabling actions occur, this is a finding.","fixText":"The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration.\n\n[edit]\nset system syslog host any any\nset system syslog file account-actions change-log any any"},{"id":"02e77dce-5135-4a07-b6d5-c0a8e8abd384","vulnId":"V-66471","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.","description":"In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.\n\nAlerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). \n\nAccounts can be disabled by configuring the account with the built-in login class \"unauthorized\". When the command is reissued with a different login class, the account is enabled.","checkContent":"Verify the device is configured to display change-log events of severity info.\n\n[edit]\nshow system syslog\n\nIf the system is not configured to display account enabling actions on the management console, this is a finding.","fixText":"The following commands configure the device to immediately display a message to any currently logged on administrator's console when changes are made to the configuration. This is an example method. Alerts must be sent immediately to the designated individuals (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). \n\n[edit]\nset system syslog users * change-log "},{"id":"cccb2cc1-12eb-41a3-8653-3838f4022de5","vulnId":"V-66473","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.","description":"$26","checkContent":"Verify all accounts are assigned a user-defined (not built-in) login class with appropriate permissions configured. If the remote user is configured, it may have a user-defined, or the built-in unauthorized login class.\n\n[edit]\nshow system login\n\n Junos OS supports groups, which are centrally located snippets of code. This allows common configuration to be applied at one or more hierarchy levels without requiring duplicated stanzas. If there are no login-classes defined at [edit system login], then check for an apply-groups statement and verify appropriate configuration at the [edit groups] level.\n\n[edit]\nshow groups\n\nIf one or more account templates are not defined with an appropriate login class, this is a finding.\n\nIf more than one local account has an authentication stanza and is not documented, this is a finding.\n\nNote: Template accounts are differentiated from local accounts by the presence of an authentication stanza.","fixText":"User accounts, including the account of last resort must be assigned to a login class. \n\nConfigure the class parameters and privileges.\n\n[edit]\nSet system login class idle-timeout 10\nset system login class permissions \n\nCommit for the changes to take effect.\n\nCreate and configure template user (s).\n\n[edit]\nset system login user

Juniper SRX SG NDM Security Technical Implementation Guide

Checks (72)