STIGQter STIGQter: STIG Summary: Juniper SRX SG VPN Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 27 Oct 2017: The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less.

DISA Rule

SV-81121r1_rule

Vulnerability Number

V-66631

Group Title

SRG-NET-000517

Rule Version

JUSX-VN-000002

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Set the lifetime (in seconds) of the IPsec proposal to 8 hours or less.

Example:

[edit]
set security ipsec proposal <P2-PROPOSAL-NAME> lifetime-seconds 28800

Check Contents

Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The default is 3600.

[edit]
show security ipsec proposal

View the value of the lifetime-seconds option.

If the IPsec proposal lifetime-seconds are not renegotiated after 8 hours or less of idle time, this is a finding.

If the IPsec proposal lifetime-seconds is not configured, this is a finding.

Vulnerability Number

V-66631

Documentable

False

Rule Version

JUSX-VN-000002

Severity Override Guidance

Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The default is 3600.

[edit]
show security ipsec proposal

View the value of the lifetime-seconds option.

If the IPsec proposal lifetime-seconds are not renegotiated after 8 hours or less of idle time, this is a finding.

If the IPsec proposal lifetime-seconds is not configured, this is a finding.

Check Content Reference

M

Target Key

3043

Comments