STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.

DISA Rule

SV-214687r385516_rule

Vulnerability Number

V-214687

Group Title

SRG-NET-000168

Rule Version

JUSX-VN-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

After configuring the Internet Key Exchange (IKE) gateway and IPsec policy, the following commands configure an IPsec policy, enabling Perfect Forward Secrecy (PFS) using Diffie-Hellman group
14 and associating the IPsec proposal configured in the previous example.

set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

The following commands define an IPsec VPN using a secure tunnel interface, specifying the IKE gateway information, IPsec policy, and tunnel establishment policy. Alternatively, administrators can configure on-traffic tunnel establishment.

[edit]
set security ipsec vpn VPN bind-interface st0.0
set security ipsec vpn VPN ike gateway IKE-PEER
set security ipsec vpn VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN establish-tunnels immediately

Check Contents

Verify IPsec is defined and configured using FIPS-complaint protocols.

[edit]
show security ipsec vpn

If the IPSEC policy and VP are not configured to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.

Vulnerability Number

V-214687

Documentable

False

Rule Version

JUSX-VN-000020

Severity Override Guidance

Verify IPsec is defined and configured using FIPS-complaint protocols.

[edit]
show security ipsec vpn

If the IPSEC policy and VP are not configured to use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module, this is a finding.

Check Content Reference

M

Target Key

4009

Comments