STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.

DISA Rule

SV-214689r695324_rule

Vulnerability Number

V-214689

Group Title

SRG-NET-000213

Rule Version

JUSX-VN-000022

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

For site-to-site VPN, configure an Internet Key Exchange (IKE) gateway that includes dead-peer-detection parameters such as in the following example.

set security ike gateway IKE-PEER ike-policy IKE-POLICY
set security ike gateway IKE-PEER address <Peer IP Address>
set security ike gateway IKE-PEER dead-peer-detection always-send
set security ike gateway IKE-PEER dead-peer-detection interval 10
set security ike gateway IKE-PEER dead-peer-detection threshold 2
set security ike gateway IKE-PEER local-identity inet <IPv4 Address in Certificate>
set security ike gateway IKE-PEER remote-identity inet <IPv4 Address in Remote
Certificate>
set security ike gateway IKE-PEER external-interface <interface name>
set security ike gateway IKE-PEER version v2-only

For dynamic (remote access) VPN, the TCP keep-alive for remote access is implemented in the Juniper SRX Firewall STIG.

Check Contents

Ask the site representative which proposal implements Suite B.

[edit]
show security ike gateway <ike-peer-name>

View the configured options.

If the dead-peer-detection is not configured, this is a finding.

Vulnerability Number

V-214689

Documentable

False

Rule Version

JUSX-VN-000022

Severity Override Guidance

Ask the site representative which proposal implements Suite B.

[edit]
show security ike gateway <ike-peer-name>

View the configured options.

If the dead-peer-detection is not configured, this is a finding.

Check Content Reference

M

Target Key

4009

Comments