16:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper SRX Services Gateway IDPS Security Technical Implementation Guide"}],false,["$","$L20",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jun 10, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Juniper_SRX_SG_IDPS_STIG","children":"Juniper_SRX_SG_IDPS_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":28}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",1]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",27]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20IDPS%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20IDPS%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20Services%20Gateway%20IDPS%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y25M01_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L21",null,{"checks":[{"id":"54cf11a7-e87a-4c06-9e6f-c1b1a2fd44e5","vulnId":"V-214610","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must provide audit record generation capability for detecting events based on implementation of policy filters, rules, and signatures.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nWhile auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.\n\nThe Juniper SRX with IDP-enabled policies has the capability to capture and log detected security violations and potential security violations.","checkContent":"To verify that the configuration is working properly, use the following command:\n\n[edit]\nshow security alarms \n\nView the configured alarms to verify at least one option for potential-violation is set to “idp”.\n\nIf a potential-violation alarm is not defined for “idp”, this is a finding.","fixText":"A Routing Engine configuration option allows the enabling and disabling of IDP alarms.\n\nBy default, the IDP attack event triggers the current logs without raising any alarms. When the option is set and the system is configured appropriately, the IDP logs on the Packet Forwarding Engine will be forwarded to Routing Engine, which then parses the IDP attack logs and raises IDP alarms as necessary.\n\nTo enable an IDP alarm, use the set security alarms potential-violation idp command.\n\nTo turn on logging, you must first turn on notification to log attacks:\nset security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks\n\nConfigure Syslog (adding to the firewall stanza).\nsyslog {\n file IDP_Log {\n any any;\n match RT_IDP;"},{"id":"9e2ebbdf-12dd-485e-ae51-15447bc7deb7","vulnId":"V-214611","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.","description":"$22","checkContent":"Review the list of authorized Junos applications, endpoints, services, and protocols that are installed on the PPSM CAL.\n\nUse the following command to show the IDP-specific policies:\n\n[edit]\nshow security idp\n\nNext, use the show security policies command to display a summary of all the security policies.\n\n[edit]\nshow security policies\n\nNote: Also inspect the organization's central events log server (e.g., syslog server) for Deny events that match the restrictions in the PPSM CAL.\n\nIf security policies do not exist to block or restrict communications traffic that is identified as harmful or suspicious by the PPSM and vulnerability assessment, this is a finding.","fixText":"Specify an active IDP policy prior to enabling IDP within a security policy. To configure the active IDP policy, execute the following command in configuration mode:\n\n[edit]\nset security idp active-policy \n\nConfigure Security Policies for IDP inspection. Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed. IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled.\n\nTo enable IDP on a security policy, enter the following command:\n\n[edit]\nset security policies from-zone to-zone policy then permit application-services idp"},{"id":"303136d5-49df-4855-bbfd-ae510b26a47a","vulnId":"V-214612","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.","description":"$23","checkContent":"Verify custom rules exist to drop packets or terminate sessions upon detection of malicious code.\n\n[edit]\nshow security idp policy\n\nView the rulebase action option for the IDP policies. View the action options of the zone configurations with the IDP option.\n\nIf rulebases in active policies are configured for No-Action or Ignore when harmful or suspicious content is detected by signatures, rules, or policies, this is a finding.","fixText":"Specify an active IDP policy prior to enabling IDP within a security policy. To configure the active IDP policy, execute the following command in configuration mode:\n\n[edit]\nset security idp active-policy \n\nConfigure Security Policies for IDP inspection. Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed. IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled.\n\nTo enable IDP on a security policy, enter the following command:\n\n[edit]\nset security policies from-zone to-zone policy then permit application-services idp"},{"id":"0b8a17ed-3cba-4c31-a13e-3d7327e050f4","vulnId":"V-214613","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must provide audit record generation with a configurable severity and escalation level capability.","description":"Without the capability to generate audit records with a severity code it is difficult to track and handle detection events.\n\nWhile auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.\n\nThe IDPS must have the capability to collect and log the severity associated with the policy, rule, or signature. IDPS products often have either pre-configured and/or a configurable method for associating an impact indicator or severity code with signatures and rules, at a minimum.","checkContent":"Use the following command to view the IDP rules:\n\n[edit]\nshow security idp status\n\nThe IDP traffic log can also be inspected to verify that IDP detection events contain a severity level in the log record.\n\nIf active IDP rules exist that do not include a severity level, this is a finding.","fixText":"Example configuration to set the severity level on the IDP rules:\n\nDefine an attack as match criteria.\n[edit security idp idp-policy base-policy rulebase-ips rule R1]\nset match attacks predefined-attack-groups \"TELNET-Critical\"\n\nSpecify an action for the rule.\n[edit security idp idp-policy base-policy rulebase-ips rule R1]\nset then action drop-connection\n\nSpecify notification and logging options for the rule.\n[edit security idp idp-policy base-policy rulebase-ips rule R1]\nset then notification log-attacks alert\n\nSet the severity level for the rule.\n\n[edit security idp idp-policy base-policy rulebase-ips rule R1] \n\nset then severity critical"},{"id":"e1720a77-ef28-4396-a61c-b519e1b1d3b6","vulnId":"V-214614","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that rules are applied to outbound communications traffic.","description":"$24","checkContent":"Determine the names of the IDP policies by asking the site representative. From operational mode, enter the following command to verify outbound zones are configured with an IDP policy. \n\nshow security policies\n\nIf zones bound to the outbound interfaces, including VPN zones, are not configured with an IDP policy, this is a finding.","fixText":"To enable IDP services on outbound traffic on the device, first create a security policy for the traffic flowing in one direction, then specify the action to be taken on traffic that matches conditions specified in the policy.\n\n[edit security policies from-zone to-zone policy idp-app-policy-1]\nset match source-address any destination-address any application any\n\n[edit security policies from-zone to-zone untrusted-zone-name> policy ]\nset then permit application-services idp"},{"id":"9de8cb7e-c822-4a8e-9cd3-3ae6d9975916","vulnId":"V-214615","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that signature-based objects are applied to outbound communications traffic.","description":"The IDPS must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. \n\nTo perform signature-based attacks on the Juniper SRX IDPS device, create a signature-based attack object.","checkContent":"From operational mode, enter the following command to verify that the signature-based attack object was created: \n\nshow security idp policies\n\nIf signature-based attack objects are not created, bound to a zone, and active, this is a finding.","fixText":"Specify a name for the attack. Specify common properties for the attack. Specify the attack type and context. Specify the attack direction and the shellcode flag. Set the protocol and its fields. Specify the protocol binding and ports. Specify the direction.\n\n[edit]\nedit security idp custom-attack sig1\nset severity major\nset recommended-action drop-packet\nset time-binding scope source count 10\nset attack-type signature context packet\nset attack-type signature \nset attack-type signature protocol ip ttl value 128 match equal\nset attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100\nset attack-type signature direction any"},{"id":"07f4a46c-6106-4258-8a99-5d2a427a44a3","vulnId":"V-214616","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that anomaly-based attack objects are applied to outbound communications traffic.","description":"The IDPS must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. \n\nTo perform anomaly-based attacks on the Juniper SRX IDPS device, create an anomaly-based attack object.","checkContent":"From operational mode, enter the following command to verify that the anomaly-based attack object was created. \n\nshow idp security policies\n\nIf anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.","fixText":"Create a protocol anomaly-based attack object:\n\nSpecify a name for the attack.\n[edit]\nsecurity idp custom-attack anomaly1\n\nSpecify common properties for the attack.\n[edit security idp custom-attack anomaly1]\nset severity info\nset time-binding scope peer count 2\n\nSpecify the attack type and test condition.\n[edit] \nsecurity idp custom-attack anomaly1\nset attack-type anomaly test OPTIONS_UNSUPPORTED\n\nSpecify other properties for the anomaly attack.\n[edit]\nsecurity idp custom-attack anomaly1\nset attack-type anomaly service TCP\nu set attack-type anomaly direction any\nattack-type anomaly shellcode spark"},{"id":"ea501763-c9b1-4d45-98c4-fccc9764eb78","vulnId":"V-214617","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.","description":"$25","checkContent":"From operational mode, enter the following command to verify that the signature-based attack object was created:\n\nshow security idp policies\n\nIf signature-based attack objects are not created and used, this is a finding.","fixText":"Specify a name for the attack. Specify common properties for the attack. Specify the attack type and context. Specify the attack direction and the shellcode flag. Set the protocol and its fields. Specify the protocol binding and ports. Specify the direction.\n\n[edit]\nedit security idp custom-attack \nset severity major\nset recommended-action drop-packet\nset time-binding scope source count 10\nset attack-type signature context packet\nset attack-type signature shellcode intel\nset attack-type signature protocol ip ttl value 128 match equal\nset attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100\nset attack-type signature direction any"},{"id":"b5427006-04c0-40d5-8cd1-db98b12494d5","vulnId":"V-214618","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must block any prohibited mobile code at the enclave boundary when it is detected.","description":"$26","checkContent":"From operational mode, enter the following command to verify outbound zones are configured with an IDP policy: \n\nshow security idp policies\n\nIf zones bound to the outbound interfaces, including VPN zones, are not configured with policy filters, rules, signatures, and anomaly analysis, this is a finding.","fixText":"To enable IDP services to drop traffic when there is a detection event on a zone based on the IDP policy:\n\nOnce the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed.\n\nKeep in mind that IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled.\n\nTo enable IDP on a security policy, enter the following command:\n\nset security policies from-zone to-zone policy then permit application-services idp"},{"id":"9ed6602e-db5f-4adc-810d-181155ec4e5a","vulnId":"V-214619","severity":"high","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must install updates for predefined signature objects, applications signatures, IDPS policy templates, and device software when new releases are available in accordance with organizational configuration management policy and procedures.","description":"$27","checkContent":"To check the version of the security package installed, enter the following command from the root on the device:\n\nshow security idp security-package-version\n\nCompare the installed release with the latest available and approved release.\n\nIf a new release is available and not installed, this is a finding.","fixText":"Since DoD does not allow the management port of security devices to be connected directly to the Internet, the required security package must be uploaded using the Juniper SRX offline process.\n\nDirections are available in the document “How to perform offline IDP and Application signature database update in SRX” on the Juniper Networks support site. DoD network policy requires a local file repository be used to automate the update for network devices.\n\nBefore uploading updates, the IDP administrator must verify the updates are approved by the site's CCB procedures and are authorized for installation. Once all files have been downloaded and approved, install the security package on SRX from root.\n\nRequest security idp security-package install source-path /var/db/idpd/sec-download"},{"id":"684992ab-7ffe-41f4-a9e2-17691b26028f","vulnId":"V-214620","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections. \n\nIDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.","checkContent":"Verify attack group is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to block the packets or terminate the session associated with code injection attacks that could be launched against databases, this is a finding.","fixText":"Configure an attack group for \"INJ\" and \"CMDEXEC\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection."},{"id":"f12cdc97-da90-4c1f-9ae3-1103521eeba0","vulnId":"V-214621","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nIDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.","checkContent":"Verify attack group is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to block the packets or terminate the session associated with code injection attacks that could be launched against applications, this is a finding.","fixText":"Configure an attack group for \"INJ\" and \"CMDEXEC\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection."},{"id":"2010b089-0bfc-4a55-8942-52b4989ef474","vulnId":"V-214622","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nIDPS component(s) with the capability to prevent SQL code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for SQL injection attacks.","checkContent":"Verify an attack group is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to block the packets or terminate the session associated with SQL injection attacks that could be launched against data storage objects, this is a finding.","fixText":"Configure an attack group for \"SQL\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection."},{"id":"822cabd8-c1c9-4f43-aaeb-39a0b91e9731","vulnId":"V-214623","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nIDPS component(s) with anomaly detection must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.","checkContent":"Verify an attack group is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to monitor for code injection attacks that could be launched against data storage objects, this is a finding.","fixText":"Configure an attack group for \"INJ\" and \"CMDEXEC\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule."},{"id":"2ae426cf-fc96-4bb8-b384-cfb974fad74d","vulnId":"V-214624","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nIDPS component(s) with anomaly detection must be included in the IDPS implementation. These components must include rules and anomaly detection algorithms to monitor for atypical application behavior, commands, and accesses.","checkContent":"Verify an attack group or rule is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to monitor for code injection attacks that could be launched against application objects, this is a finding.","fixText":"Configure an attack group for \"INJ\", \"SQL\", and \"CMDEXEC\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule."},{"id":"1442a7a8-37fb-486a-bc3b-9b175bd7d34c","vulnId":"V-214625","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nIDPS component(s) with anomaly detection must be included in the IDPS implementation to monitor for and detect unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for SQL injection attacks.","checkContent":"Verify an attack group or rule is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule(s) is not implemented to monitor for SQL injection attacks that could be launched against data storage objects, this is a finding.","fixText":"Configure an attack group for \"SQL\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule."},{"id":"428827e7-debf-4b65-b342-5b7399a82ea8","vulnId":"V-214626","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis.","description":"$28","checkContent":"From operational mode, enter the following command to verify that the anomaly-based attack object was created: \n\nshow idp security policies\n\nIf anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.","fixText":"Create a protocol anomaly-based attack object:\n\nSpecify a name for the attack.\n[edit]\nsecurity idp custom-attack anomaly1\n\nSpecify common properties for the attack.\n[edit security idp custom-attack anomaly1]\nset severity info\nset time-binding scope peer count 2\n\nSpecify the attack type and test condition.\n[edit] \nsecurity idp custom-attack anomaly1set attack-type anomaly test OPTIONS_UNSUPPORTED\n\nSpecify other properties for the anomaly attack.\n[edit]\nsecurity idp custom-attack anomaly1]\nset attack-type anomaly service TCP\nu set attack-type anomaly direction any\nattack-type anomaly shellcode spark"},{"id":"a77abbd7-fd8c-40ba-a507-35509b370166","vulnId":"V-214627","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based detection.","description":"If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.\n\nInstallation of IDPS components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks.\n\nDetection components that use pattern recognition pre-processors can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures.\n\nThis requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself. The Juniper SRX must be configured with screens using the Firewall STIG, but must also be configured for anomaly-based protection using various locally developed anomaly-based attack objects.","checkContent":"Verify that the anomaly-based attack object was created.\n\n[edit]\nshow idp security policies\n\nIf anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.","fixText":"Create a protocol anomaly-based attack object:\n\nSpecify a name for the attack.\n[edit]\nsecurity idp custom-attack anomaly1\n\nSpecify common properties for the attack.\n[edit security idp custom-attack anomaly1]\nset severity info\nset time-binding scope peer count 2\n\nSpecify the attack type and test condition.\n[edit] \nsecurity idp custom-attack anomaly1set attack-type anomaly test OPTIONS_UNSUPPORTED\n\nSpecify other properties for the anomaly attack.\n[edit]\nsecurity idp custom-attack anomaly1]\nset attack-type anomaly service TCP\nu set attack-type anomaly direction any\nattack-type anomaly shellcode spark"},{"id":"a5867b69-4d59-4352-849c-3cbe78bc57ce","vulnId":"V-214628","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures.","description":"$29","checkContent":"Verify an attack group or rule is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group(s) or rules are not implemented to detect flood and DOS attacks, this is a finding.","fixText":"Configure an attack group for \"FLOOD\" and \"DOS\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule."},{"id":"22f38dc4-1641-4053-9106-4c6b16a4d7c6","vulnId":"V-214629","severity":"medium","ruleTitle":"The IDPS must send an alert to, at a minimum, the ISSO and ISSM when intrusion detection events are detected that indicate a compromise or potential for compromise.","description":"Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information.\n\nIn accordance with CCI-001242, the IDPS is a real-time intrusion detection system. These systems must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. The Juniper SRX IDPS can be configured for email alerts.","checkContent":"Verify an attack group or rule is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rule is not implemented to detect root-level intrusion attacks or the match condition is not configured for an alert, this is a finding.","fixText":"Create a custom rule that identifies the Junos application which is prohibited on the network. \n\nAdd the option \"alert\" onto the rule to send an alert when that rule is invoked. Alerts should be sent only on critical and other site-selected items to prevent an excess of alerts.\n\n[edit]\nset security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks alert"},{"id":"2e75521c-b6c9-4ebb-8b90-8eaa22164241","vulnId":"V-214630","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must generate an alert to, at a minimum, the ISSO and ISSM when root-level intrusion events that provide unauthorized privileged access are detected.","description":"$2a","checkContent":"Verify an attack group or rule is configured.\n\n[edit]\nshow security idp policies\n\nIf an attack group or rules are not configured to detect root-level intrusion attacks or the match condition is not configured for an alert, this is a finding.","fixText":"Configure an attack group for \"ROOT\" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy.\n\nSpecify the attack group as match criteria in an IDP policy rule."},{"id":"d6afdf1b-81c8-4899-a497-fd9a79e3b325","vulnId":"V-214631","severity":"medium","ruleTitle":"The IDPS must send an alert to, at a minimum, the ISSO and ISSM when DoS incidents are detected.","description":"$2b","checkContent":"Verify alerts are configured to implement this requirement.\n\n[edit]\nshow security alarms potential-violation\n\nIf alerts are not configured to notify the ISSO and ISSM of potential-violation IDP events, this is a finding.","fixText":"Configure alerts for IDP attack by using the [edit security alarms potential-violation] command.\n\nAdd the option \"alert\" onto the rule to send an alert when that rule is invoked. Alerts should be sent only on critical and other site-selected items to prevent an excess of alerts.\n\n[edit]\nset security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks alert"},{"id":"c0684c70-d680-4921-9df7-d57a93966d93","vulnId":"V-214632","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must automatically install updates to signature definitions.","description":"$2c","checkContent":"Verify automatic updates are configured.\n\n[edit]\nshow security idp\n\nIf updates are not automatically installed, this is a finding.","fixText":"The following example configures automatic updates of the IDP signature database:\n\nSpecify the URL to use.\n\n[edit]\nset security idp security-package url \n\nCreate a schedule for the automatic downloads.\n\nset security idp security-package automatic interval \nset security idp security-package automatic enable\n\nAlso, recommend a local log be created to track when automated updates are performed for troubleshooting purposes.\n\nset system syslog file IDP_OPERATIONS any any match IDP_SCHEDULE"},{"id":"e204bcc0-ffbc-4373-aa5f-89c2cb9913fa","vulnId":"V-214633","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must perform real-time monitoring of files from external sources at network entry/exit points.","description":"Real-time monitoring of files from external sources at network entry/exit points helps to detect covert malicious code before it is downloaded to or executed by internal and external endpoints. Using malicious code, such as viruses, worms, Trojan horses, and spyware, an attacker may gain access to sensitive data and systems.\n\nIDPSs innately meet this requirement for real-time scanning for malicious code when properly configured to meet the requirements of this STIG. However, most products perform communications traffic inspection at the packet level.","checkContent":"Verify a dynamic custom attack group which includes attack objects for malicious code monitoring of files.\n\nshow security idp dynamic-attack-group\n\nIf a custom attack group exists containing members which include malicious code attack categories, this is a finding.","fixText":"Configure a dynamic custom attack group which includes attack objects for malicious code monitoring of files. There are many ways to accomplish this; thus, the following is only an example:\n\n[edit] \nsecurity idp dynamic-attack-group Malicious-Activity\nset category values [ SHELLCODE VIRUS WORMS SPYWARE TROJAN]"},{"id":"276a775d-da3f-4966-9344-0ef1fd7ca18c","vulnId":"V-214634","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must drop packets or disconnect the connection when malicious code is detected.","description":"Configuring the IDPS to discard and/or redirect based on local organizational incident handling procedures minimizes the impact of this code on the network.\n\nOnce an attack object in the IPS policy is matched, the SRX can execute an action on that specific session, along with actions on future sessions. The ability to execute an action on that particular session is known as an IDPS action. IDPS actions can be one of the following: No-Action, Drop-Packet, Drop-Connection, Close-Client, Close-Server, Close-Client-and-Server, DSCP-Marking, Recommended, or Ignore. IP actions are actions that can be enforced on future sessions. These actions include IP-Close, IP-Block, and IP-Notify","checkContent":"Verify custom rules exist to drop packets or terminate sessions upon detection of malicious code.\n\n[edit]\nshow security idp policy\n\nView the rulebase action option for the IDP policies.\n\nIf rulebases for IDP policies which detect malicious code are not configured with an action of Drop-Packet, Drop-Connection, or some form of session termination, this is a finding.","fixText":"This requirement can be met through a custom rule within a policy or drop action option on the zone configuration to which the policy is applied. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example.\n\n[edit]\nset security idp idp-policy Malicious-Activity rulebase-ips rule R1 then action drop-connection"},{"id":"ac49a1c3-e048-4ff4-8ad2-9163889634ca","vulnId":"V-214635","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must send an immediate alert to, at a minimum, the Security Control Auditor (SCA) when malicious code is detected.","description":"Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.\n\nThe IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.","checkContent":"Verify an alert is sent when malicious code is detected.\n\n[edit]\nshow security idp policy\n\nView the rulebase options for the IDP policies.\n\nIf the rulebase options for the IDP policies that detect malicious code do not contain the \"alert\" option, this is a finding.","fixText":"This requirement can be met using an alert. Alerts must be enabled and configured and then added to the IDP policy rulebase command as an option. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example.\n\n[edit]\nset security idp idp-policy Malicious-Activity rulebase-ips rule R1 then notification log-attacks alert"},{"id":"5429b5fe-ec37-4573-98b3-79f1b20d46a8","vulnId":"V-214636","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must have only active Juniper Networks licenses.","description":"If the IDP or UTM licenses are allowed to lapse, the Juniper SRX IDPS can still inspect traffic and continue to use the outdated signature database for rules, objects, and dynamic groups. However, updates to the signature database cannot be downloaded from Juniper Networks. This puts the network at risk since the updates are used to addresses new CERT and IAVM vulnerabilities.","checkContent":"In operational mode, enter show system license.\n\nIf the license expiration for idp-sig and all other licenses installed are past today's date, this is a finding.","fixText":"Update the expired licenses immediately following the procedures on the vendor website."},{"id":"bd065b67-7fee-44d3-b932-7764e1271047","vulnId":"V-214637","severity":"medium","ruleTitle":"The Juniper Networks SRX Series Gateway IDPS must either forward the traffic from inbound connections to be more deeply inspected for malicious code and Layer 7 threats, or the Antivirus and Unified Threat Management (UTM) license must be installed, active, and policies and rules configured.","description":"$2d","checkContent":"Verify UTM and AV policies are configured.\n\n[edit]\nshow security utm\n\nIf a stanza does not exist for at least one UTM and one AV policy, this is a finding.\n\nIf the IDPS does not have UTM and AV capabilities and traffic is not forwarded to be inspected for AV and UTM threats, this is a finding.","fixText":"Configure at least one policy for the UTM and AV policy using the commands and options for the [edit security utm] hierarchy.\n\nIf the UTM and AV licenses are not installed, IDPS must be installed in the architecture so that traffic is forwarded for deeper AV and UTM inspection. This can be accomplished by using a zone stanza to direct the traffic to an interface or IP destination address."}]}]]}]

Juniper SRX Services Gateway IDPS Security Technical Implementation Guide

Checks (28)