STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.

DISA Rule

SV-214672r382783_rule

Vulnerability Number

V-214672

Group Title

SRG-NET-000062

Rule Version

JUSX-VN-000005

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

The following example commands configure the IPsec (phase 2) proposals. The option may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.

[edit]
set security ipsec proposal <IPSEC-PROPOSAL-NAME> encryption-algorithm aes-256-cbc

Check Contents

Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.

[edit]
show security ipsec

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IPsec proposal is not set to use an AES algorithm, this is a finding.

Vulnerability Number

V-214672

Documentable

False

Rule Version

JUSX-VN-000005

Severity Override Guidance

Verify all Internet Key Exchange (IKE) proposals are set to use the AES encryption algorithm.

[edit]
show security ipsec

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IPsec proposal is not set to use an AES algorithm, this is a finding.

Check Content Reference

M

Target Key

4009

Comments