STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.

DISA Rule

SV-214692r383107_rule

Vulnerability Number

V-214692

Group Title

SRG-NET-000230

Rule Version

JUSX-VN-000025

Severity

CAT I

CCI(s)

CCI-001184 - The information system protects the authenticity of communications sessions.

Weight

Fix Recommendation

Include the SHA1 or higher authentication algorithm in the IKE proposal. The following is an example command.

[edit]
set security ike proposal <P1-PROPOSAL-NAME> authentication-algorithm sha-256

Check Contents

View all IKE proposals using in the VPN configuration.

[edit]
show security ike proposal

If the authentication algorithm in all IKE proposals is not set to SHA1 or higher, this is a finding.

Vulnerability Number

V-214692

Documentable

False

Rule Version

JUSX-VN-000025

Severity Override Guidance

View all IKE proposals using in the VPN configuration.

[edit]
show security ike proposal

If the authentication algorithm in all IKE proposals is not set to SHA1 or higher, this is a finding.

Check Content Reference

Target Key

4009

The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments