STIGQter STIGQter: STIG Summary: Juniper SRX SG ALG Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.

DISA Rule

SV-80493r1_rule

Vulnerability Number

V-66003

Group Title

SRG-NET-000015-ALG-000016

Rule Version

JUSX-AG-000019

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure attribute-based security policies to enforce approved authorizations for logical access to information and system resources using the following commands.

To configure redirection from the SRX Series device to the Access Control Service, from configuration mode, configure the UAC profile for the captive portal <acs-device>.

[edit]
set services unified-access-control captive-portal <acs-device-name> redirect-traffic unauthenticated

Configure the redirection URL for the Access Control Service or a default URL for the captive portal.

[edit]
set services unified-access-control captive-portal acs-device redirect-url https://%ic-url%/?target=%dest-url%&enforcer=%enforcer-id%

This policy specifies the default target and enforcer variables to be used by the Access Control Service to direct the user back after authentication. This ensures that changes to system specifications will not affect configuration results.

Configure a user role firewall policy that redirects HTTP traffic from zone trust to zone untrust if the source-identity is unauthenticated-user. The captive portal profile name is specified as the action to be taken for traffic matching this policy. The following is an example only since there the actual policy is dependent on the architecture of the organization's network.

[edit]
set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-address any
set security policies from-zone trust to-zone untrust policy user-role-fw1 match destination-address any
set security policies from-zone trust to-zone untrust policy user-role-fw1 match application http
set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-identity unauthenticated-user
set security policies from-zone trust to-zone untrust policy user-role-fw1 then permit app

Check Contents

If user-based firewall policies are not used, this is not applicable.

To verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall.

[edit]
show security policies

If the source identity is not specified in any policy for a particular zone pair, this is a finding.

Vulnerability Number

V-66003

Documentable

False

Rule Version

JUSX-AG-000019

Severity Override Guidance

If user-based firewall policies are not used, this is not applicable.

To verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall.

[edit]
show security policies

If the source identity is not specified in any policy for a particular zone pair, this is a finding.

Check Content Reference

M

Target Key

3035

Comments