STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.

DISA Rule

SV-229025r518253_rule

Vulnerability Number

V-229025

Group Title

SRG-APP-000516-NDM-000317

Rule Version

JUSX-DM-000097

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002132 - The information system notifies organization-defined personnel or roles for account enabling actions.

Weight

10

Fix Recommendation

Configure the Juniper SRX to forward logon requests to a RADIUS or TACACS+. Remove local users configured on the device (CCI-000213) so the AAA server cannot default to using a local account.

[edit]
set system tacplus-server address <server ipaddress> port 1812 secret <shared secret>

or

[edit]
set system radius-server address <server ipaddress> port 1812 secret <shared secret>

Note: DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

Check Contents

Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+.

From the CLI operational mode enter:
show system radius-server
or
show system tacplus-server

If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.

Vulnerability Number

V-229025

Documentable

False

Rule Version

JUSX-DM-000097

Severity Override Guidance

Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+.

From the CLI operational mode enter:
show system radius-server
or
show system tacplus-server

If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.

Check Content Reference

M

Target Key

4098

Comments