13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper SRX SG VPN Security Technical Implementation Guide"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","2"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Oct 27, 2017"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"S-b57ec49509f16756d0a877114eb5cdfc0a81fc85","children":"S-b57ec49509f16756d0a877114eb5cdfc0a81fc85"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":29}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",7]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",21]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",1]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20VPN%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20VPN%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20VPN%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L1e",null,{"checks":[{"id":"7f625ac4-2613-4a61-b081-bfb60d4a488f","vulnId":"V-66021","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) encryption is critical to ensuring the privacy of the IPsec session; it is imperative that AES is used for encryption operations.\n\nRemote access is access to DoD-non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections.\n\nWhile there is much debate about the security and performance of AES, there is a consensus that AES is significantly more secure than other algorithms currently supported by IPsec implementations. AES is available in three key sizes: 128, 192, and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES.","checkContent":"Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.\n\n[edit]\nshow security ipsec\n\nView the value of the encryption algorithm for each defined proposal.\n\nIf the value of the encryption algorithm for any IPsec proposal is not set to use an AES algorithm, this is a finding.","fixText":"The following example commands configure the IPsec (phase 2) proposals. The option may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.\n\n[edit]\nset security ipsec proposal encryption-algorithm aes-256-cbc"},{"id":"e546155d-f415-4e72-9169-178272a06c5f","vulnId":"V-66617","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.","description":"$1f","checkContent":"Verify all IKE proposals are set to use the AES encryption algorithm.\n\n[edit]\nshow security ike\n\nView the value of the encryption algorithm for each defined proposal.\n\nIf the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.","fixText":"The following example commands configure the IKE (phase 1) proposals. The option may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.\n\n[edit]\nset security ike proposal encryption-algorithm aes-256-cbc"},{"id":"2d0695ed-5d00-4f28-b66c-2afb714e25cf","vulnId":"V-66619","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).","description":"$20","checkContent":"Verify the IKE protocol is specified for all IPsec VPNs.\n\n[edit]\nshow security ipsec vpn \n\nIf the IKE protocol is not specified as an option on all VPN gateways, this is a finding.","fixText":"The following example commands configure an IPsec VPN to use the IKE gateway information.\n\n[edit]\nset security ipsec vpn ike gateway "},{"id":"b1df3a7b-ba11-4193-9226-e3e65553fa18","vulnId":"V-66621","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.","description":"Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. \n\nTo achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPsec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.","checkContent":"Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.\n\nIf revoked certificates are accepted for PKI authentication, this is a finding.","fixText":"Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP."},{"id":"140c1ff4-828e-48a9-b4d0-1205e8480150","vulnId":"V-66623","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.","description":"To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.\n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nA non-privileged account is any information system account with authorizations of a non-privileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor authentication.","checkContent":"Ask the site to identify the VPN access profile. Verify the access profile uses LDAP, not password configuration, for user remote access to the network. Ask the site if the LDAP server used authenticates users through PKI authentication.\n\n[edit]\nshow security access profile \n\nIf an access profile that uses LDAP is not configured as the first option in the authentication order, this is a finding.\n\nIf password access is configured for VPN user access, this is a finding.\n\nIf the LDAP server used does not use PKI authentication, this is a finding.","fixText":"$21"},{"id":"8dca1d29-a0ac-4a9f-bfe9-d238c8e19c6b","vulnId":"V-66625","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.","description":"$22","checkContent":"Ask the site representative which proposal implements Suite B.\n\n[edit]\nshow security ike \n\nView the configured options.\n\nIf the value of the authentication-method and other options are not set for Suite B compliance, this is a finding.","fixText":"The following example commands configure the IKE (phase 1) Suite B proposal. Note that SRX must have Junos 12.1X46 or later to support SuiteB. \n\n[edit]\nset security ike proposal suiteb-proposal\nset ike proposal suiteb-proposal authentication-method ecdsa-signatures-384\nset ike proposal suiteb-proposal dh-group group20\nset ike proposal suiteb-proposal authentication-algorithm sha-384\nset ike proposal suiteb-proposal encryption-algorithm aes-256-cbc"},{"id":"823fd2a9-9caf-4e56-9951-ba81970933fd","vulnId":"V-66629","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.","description":"Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.","checkContent":"Verify the VPN Internet Key Exchange (IKE) gateway limits concurrent sessions.\n\n[edit]\nshow security ike\n\nView the value for the connections-limit.\n\nIf the VPN IKE gateway does not limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or is set to an organization-defined number, this is a finding.","fixText":"Configure the VPN IKE gateway to limit concurrent sessions. The following is an example.\n\n[edit]\nset security ike gateway dynamic connections-limit 1\n\n[edit]\nset security ike gateway dynamic connections-limit 3"},{"id":"d748b4eb-3c1d-4ef6-92c4-1ab672e53ea2","vulnId":"V-66631","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less.","description":"The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the lifetime of the IPsec SA, the longer the lifetime of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPsec peers to renegotiate Phase II more often resulting in the expenditure of additional resources. \n\nFor the Juniper SRX, specify the lifetime (in seconds) of an Internet Key Exchange (IKE) security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation.","checkContent":"Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The default is 3600.\n\n[edit]\nshow security ipsec proposal\n\nView the value of the lifetime-seconds option.\n\nIf the IPsec proposal lifetime-seconds are not renegotiated after 8 hours or less of idle time, this is a finding.\n\nIf the IPsec proposal lifetime-seconds is not configured, this is a finding.","fixText":"Set the lifetime (in seconds) of the IPsec proposal to 8 hours or less. \n\nExample:\n\n[edit]\nset security ipsec proposal lifetime-seconds 28800"},{"id":"a0b6e976-98de-419a-b438-e521faad0122","vulnId":"V-66641","severity":"high","ruleTitle":"The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.","description":"Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).\n\nAn IPsec Security Associations (SA) is established using either IKE or manual configuration.","checkContent":"View all IKE proposals using in the VPN configuration.\n\n[edit]\nshow security ike proposal\n\nIf the authentication algorithm in all IKE proposals is not set to SHA1 or higher, this is a finding.","fixText":"Include the SHA1 or higher authentication algorithm in the IKE proposal. The following is an example command.\n\n[edit]\nset security ike proposal authentication-algorithm sha-256"},{"id":"60d4a358-75ef-4d3c-b8fe-750d889c3965","vulnId":"V-66643","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less.","description":"When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.","checkContent":"Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The idle time value must be one hour or less. If idle time is not configured, determine the default used by the gateway. The default value is 28800 seconds.\n\n[edit]\nshow security ike proposal\n\nView the value of the lifetime-seconds option.\n\nIf the IKE security associations are not renegotiated after 24 hours or less of idle time, this is a finding.\n\nIf the IKE proposal lifetime-seconds is not configured, this is not a finding.","fixText":"Specify the lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation.\n\nExample:\n\n[edit]\nset security ike proposal lifetime-seconds 86400"},{"id":"81305988-5f5e-46d1-9987-855fddbad6dd","vulnId":"V-66645","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.","description":"Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. \n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","checkContent":"Obtain documentation from the site representative that the Juniper SRX is configured in compliance with the Juniper SRX Services Gateway IDPS STIG.\n\nIf the device has not been configured to comply with DoD IDPS requirements, this is a finding.","fixText":"Perform a security review using the Juniper SRX Services Gateway IDPS STIG."},{"id":"f8bc2dc7-dd66-420a-a64d-e9feeeb29e5f","vulnId":"V-66647","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.","description":" Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.","checkContent":"Verify all IKE proposals are set to use a FIPS-validated dh-group.\n\n[edit]\nshow security ike \n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to a FIPS-140-2 validated dh-group, this is a finding.","fixText":"The following command is an example of how to configure the IKE (phase 1) proposals. The following groups are allowed for use in DoD: \nDH Groups 14 (2048-bit MODP) \n- 19 (256-bit Random ECP), 20 (384-bit Random ECP), 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS).\n\nExample:\n[edit]\nset security ike proposal dh-group group14"},{"id":"faf58069-09b2-4d74-bed8-725d8487d8f0","vulnId":"V-66649","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.","description":"Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. \n\nRemote access VPN provides access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.","checkContent":"Verify all IPSec proposals are set to use the sha-256 hashing algorithm.\n\n[edit]\nshow security ipsec proposal \n\nView the value of the encryption algorithm for each defined proposal.\n\nIf the value of the encryption algorithm option for all defined proposals is not set to use SHA1 or greater, this is a finding.","fixText":"The following example commands configure the IPSec proposal.\n\nset security ipsec proposal authentication-algorithm "},{"id":"83423aab-f57d-49ae-9129-c82780c9789e","vulnId":"V-66651","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.","description":"$23","checkContent":"Verify an IPsec policy is configured and used to control the VPN information flow.\n\n[edit]\nshow security ipsec\n\nInspect the security policy.\n\nIf VPN traffic is not configured and controlled using an IPsec policy, this is a finding.","fixText":"$24"},{"id":"2392ff14-2e6c-4b64-ad27-979d092baffd","vulnId":"V-66653","severity":"medium","ruleTitle":"If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.","description":"Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. \n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","checkContent":"Verify a security zone is configured for the VPN Internet Key Exchange (IKE) service.\n\n[edit]\nshow security zones\n\nIf a security zone is not configured for the IKE traffic, this is a finding.","fixText":"Allow IKE as a host-inbound service within the security zone associated with the IKE gateway’s external interface configuration. Assuming the use of ge-0/0/0, which is associated with the “untrust” zone, the following is an example of zone configuration.\n\n[edit]\nset security zones security-zone untrust host-inbound-traffic system-services ike"},{"id":"3c578806-c070-43d5-a2e5-e00ac5394db5","vulnId":"V-66655","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).","description":"$25","checkContent":"Examine all IPsec profiles to verify PFS is enabled.\n\n[edit]\nshow security ipsec policy\n\nIf PFS is not configured, this is a finding.","fixText":"Configure the VPN gateway to ensure PFS is enabled. The following commands configure an IPsec policy, enabling PFS using Diffie-Hellman group 14 and associates the IPsec proposal configured in the previous example.\n\n[edit]\nset security ipsec policy perfect-forward-secrecy keys group14\nset security ipsec policy proposals "},{"id":"f3e1778f-c1b0-496a-9ef3-c5cda2f33672","vulnId":"V-66657","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.","description":"ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information.\n\nESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.","checkContent":"Review all IPsec profiles and zones to verify ESP tunnel mode has been specified.\n\n[edit]\nshow security ipsec proposal\nshow security zones security-zone untrust\n\nIf all IPsec proposals are not configured for the ESP protocol, this is a finding.\n\nIf an Internet Key Exchange (IKE) is not bound to an external host-inbound service to direct all inbound VPN traffic to the VPN interface configured for IKE, this is a finding.","fixText":"Configure Phase 2 for ESP and allow IKE as a host-inbound service within the security zone associated with the IKE gateway’s external interface configuration. Any traffic that you wish to encrypt is routed to this tunnel interface.\n\nExample:\n\n[edit\nset security ipsec proposal IPSEC-PROPOSAL protocol esp\n\nAssumes the external interface is associated with the “untrust” zone.\n\n[edit]\nset security ike gateway external-interface \nset security zones security-zone untrust host-inbound-traffic system-services ike"},{"id":"5005a6c3-e8a2-4911-a48f-187acc29777b","vulnId":"V-66659","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.","description":"$26","checkContent":"Review the documentation and architecture for the device.\n\n \nshow system license\n\nIf unneeded services and functions are installed on the device, but are not part of the documented role of the device, this is a finding.","fixText":"Remove unnecessary services and functions. From operational mode, display the licenses available to be deleted and enter the following commands.\n\nrequest system license delete license-identifier-list ?\n\nrequest system license delete \n\nNote: Only remove unauthorized services. This control is not intended to restrict the use of Juniper SRX devices with multiple authorized roles."},{"id":"25052526-384f-4c26-a360-1403363807e2","vulnId":"V-66661","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.","description":"Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.","checkContent":"Verify only IKEv2 is used for the IKE security configuration on all configured gateways. Use of IKEv1 mitigates the risk to a CAT III finding.\n\nShow security ike gateway \n\nIf IKEv2 is not used for IKE associations, this is a finding.","fixText":"For site-to-site VPNs, configure the Juniper SRX to use IKEv2 only.\n\n[edit]\nset security ike gateway address \nset security ike gateway version v2-only"},{"id":"3def6414-b741-4d9f-8556-d13ec5954e5e","vulnId":"V-66663","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$27","checkContent":"Entering the following commands from the configuration level of the hierarchy.\n\n[edit]\nshow security services\n\nIf functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.","fixText":"Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration.\n\n[edit]\nshow security services\n\nCompare the services that are enabled, including the port, services, protocols, and functions.\n\nConsult the Juniper knowledge base and configuration guides to determine the commands for disabling each port, protocols, services, or functions that is not in compliance with the PPSM CAL and vulnerability assessments."},{"id":"dd62b3fe-5f7b-458f-9fe8-2db4c9b70f40","vulnId":"V-66665","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"$28","checkContent":"Ask the site to identify the VPN access profile. Verify the access profile uses LDAP, not password configuration, for user remote access to the network. Ask the site representative if group accounts are allowed or configured.\n\n[edit]\nshow security access profile \n\nIf an access profile that uses LDAP is not configured as the first option in the authentication order, this is a finding.\n\nIf group accounts are allowed for VPN logon, this is a finding.","fixText":"$29"},{"id":"976e2a76-2276-4b50-aa69-0a821607aa37","vulnId":"V-66667","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised.\n\nNetwork elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.","checkContent":"Verify IPsec is defined and configured using FIPS-complaint protocols.\n\n[edit]\nshow security ipsec vpn\n\nIf the IPSEC policy and VP are not configured to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.","fixText":"After configuring the Internet Key Exchange (IKE) gateway and IPsec policy, the following commands configure an IPsec policy, enabling Perfect Forward Secrecy (PFS) using Diffie-Hellman group\n14 and associating the IPsec proposal configured in the previous example.\n\nset security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14\nset security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL\n\nThe following commands define an IPsec VPN using a secure tunnel interface, specifying the IKE gateway information, IPsec policy, and tunnel establishment policy. Alternatively, administrators can configure on-traffic tunnel establishment.\n\n[edit]\nset security ipsec vpn VPN bind-interface st0.0\nset security ipsec vpn VPN ike gateway IKE-PEER\nset security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY\nset security ipsec vpn VPN establish-tunnels immediately"},{"id":"d84c8ff2-a650-49b8-9c1a-932358273aa0","vulnId":"V-66669","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. \n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user.","checkContent":"Verify that groups are not used for authentication.\n\n[edit]\nshow security access profile \n\nIf LDAP is not configured as the first authentication-order, this is a finding.","fixText":"$2a"},{"id":"382db9e3-1888-4e14-969d-f8752cb39c20","vulnId":"V-66671","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.","checkContent":"Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.\n\n[edit]\nshow security ike\n\nView the value of the encryption algorithm for each defined proposal.\n\nIf the value of the authentication method and other options are not set to use FIPS-compliant values, this is a finding.","fixText":"The following example commands configure the IKE (phase 1) proposal.\n\n[edit]\nset security ike proposal authentication-method rsa-signatures\nset security ike proposal p1-proposal dh-group group14\nset security ike proposal p1-proposal authentication-algorithm sha-256\nset security ike proposal p1-proposal encryption-algorithm aes-256-cbc\nset security ike proposal p1-proposal lifetime-seconds 86400"},{"id":"4cf4e3b0-3fac-40bf-81f2-0f4c9ec483cb","vulnId":"V-66673","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE) authentication certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet. Network elements that perform these functions must be able to identify which session identifiers were generated when the sessions were established.","checkContent":"Verify the all IKE proposals are set to use the AES encryption algorithm.\n\n[edit]\nshow security ike\n\nView the value of the authentication-method for each defined proposal.\n\nIf the value of the authentication-method for each defined proposal is not set to use AES, this is a finding.","fixText":"The following example commands configure the IKE (phase 1) proposals. Use certificates instead of pre-shared keys to establish the IKE phase 1 tunnel. \n\nThis proposal requires AES 256-bit encryption\n\nset security ike proposal p1-proposal authentication-method rsa-signatures"},{"id":"e3163b97-9531-46b6-8c30-401549008301","vulnId":"V-66675","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.","description":"Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nAccess control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic, ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet) must be kept separated.","checkContent":"Request documentation of the Juniper SRX configuration drawings to determine which ports are configured for external/outbound traffic. Verify outbound interfaces have been configured with DoS screens.\n\n[edit]\nshow security zones \n\nIf the VPN zone(s) is configured to allow unauthorized/untrusted traffic to unauthorized zones, this is a finding.","fixText":"The SRX device will route traffic over the IPsec VPN’s secure tunnel interface if there is a route with the next-hop specified as the secure tunnel interface. The following example commands configure an IPv4 and IPv6 static route for their respective secure tunnels.\n\nset routing-options static route next-hop st0.0\nset routing-options rib inet6.0 static route next-hop st0.1\nset security policies from-zone untrust to-zone trust policy group-sec-policy then permit tunnel ipsec-vpn groupvpn\n\nNote: For the SRX device to transmit traffic over the IPsec tunnel, you must configure the secure tunnel interface (st0 in this case), associate it with a security zone, and create a static route entry for the remote network’s address space."},{"id":"c97ec67c-544b-46aa-8d91-27b6daad3ad8","vulnId":"V-66677","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.","description":"Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.\n\nA VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.\n\nTraffic to the protected resource will go through the specified dynamic VPN tunnel and will therefore be protected by the Juniper SRX firewall’s security policies.","checkContent":"Verify split-tunneling is disabled.\n\n[edit]\nshow security dynamic-vpn access-profile \n\nIf split-tunneling is not disabled, this is a finding.","fixText":"Configure the VPN tunnel to control what is sent out in clear text. The “remote-protected-resources” command defines what is routed through the tunnel. The “remote-exceptions” command defines what traffic is sent out in clear text. The following is an example.\n\n[edit]\nset security dynamic-vpn access-profile \nset security dynamic-vpn clients all ipsec-vpn \nset security dynamic-vpn clients all remote-protected-resources \nset security dynamic-vpn clients all remote-exceptions 0.0.0.0/0"},{"id":"0fbd7f8a-cf93-4b9a-a82a-03adf89b4f5b","vulnId":"V-66679","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.","description":"Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet.\n\nThe SRX adds a sequence number to the ESP encapsulation which is verified by the VPN peer so packets are received within a correct sequence. This will cause issues if packets are not received in the order in which they were sent out.\n\nBy default the SRX has a replay window of 64 or 32, depending on the platform. The SRX drops packets received out of order that are not received within this window. However, this default may be overridden by setting the option no-anti-replay as follows: set security vpn name ike no-anti-replay.","checkContent":"Verify anti-replay service is enabled.\n\n[edit]\nshow security ipsec security-associations index 16384 detail\n\nIf anti-replay service is not enabled, this is a finding.","fixText":"Remove the no-anti-replay Internet Key Exchange (IKE) option from the VPN configuration. By default the SRX has a replay window of 64 or 32, depending on the platform. \n\nExample: \n[edit]\ndelete security vpn name ike no-anti-replay"},{"id":"18c3e375-4a69-4ebc-b99e-ed3e39a51436","vulnId":"V-66681","severity":"low","ruleTitle":"The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.","description":"Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These “orphaned” sessions use up valuable router resources and can also be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keep alive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the TCP keep alive message, the sending router will clear the connection and free resources allocated to the session.\n\nThe TCP keep-alive for remote access is implemented in the Juniper SRX Firewall STIG.","checkContent":"Ask the site representative which proposal implements Suite B.\n\n[edit]\nshow security ike gateway \n\nView the configured options.\n\nIf the dead-peer-detection is configured, this is a finding.","fixText":"For site-to-site VPN, configure an Internet Key Exchange (IKE) gateway that includes dead-peer-detection parameters such as in the following example.\n\nset security ike gateway IKE-PEER ike-policy IKE-POLICY\nset security ike gateway IKE-PEER address \nset security ike gateway IKE-PEER dead-peer-detection always-send\nset security ike gateway IKE-PEER dead-peer-detection interval 10\nset security ike gateway IKE-PEER dead-peer-detection threshold 2\nset security ike gateway IKE-PEER local-identity inet \nset security ike gateway IKE-PEER remote-identity inet \nset security ike gateway IKE-PEER external-interface \nset security ike gateway IKE-PEER version v2-only\n\nFor dynamic (remote access) VPN, the TCP keep-alive for remote access is implemented in the Juniper SRX Firewall STIG."}]}]]}]

Juniper SRX SG VPN Security Technical Implementation Guide

Checks (29)