STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.

DISA Rule

SV-214675r382846_rule

Vulnerability Number

V-214675

Group Title

SRG-NET-000063

Rule Version

JUSX-VN-000008

Severity

CAT II

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Weight

10

Fix Recommendation

The following example commands configure the IPSec proposal.

set security ipsec proposal <IPSEC-PROPOSAL-NAME> authentication-algorithm <hmac-sha-256-128 | hmac-sha-256-96 | hmac-sha1-96>

Check Contents

Verify all IPSec proposals are set to use the sha-256 hashing algorithm.

[edit]
show security ipsec proposal <IPSEC-PROPOSAL-NAME>

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm option for all defined proposals is not set to use SHA1 or greater, this is a finding.

Vulnerability Number

V-214675

Documentable

False

Rule Version

JUSX-VN-000008

Severity Override Guidance

Verify all IPSec proposals are set to use the sha-256 hashing algorithm.

[edit]
show security ipsec proposal <IPSEC-PROPOSAL-NAME>

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm option for all defined proposals is not set to use SHA1 or greater, this is a finding.

Check Content Reference

M

Target Key

4009

Comments