STIGQter STIGQter: STIG Summary: Juniper SRX SG VPN Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 27 Oct 2017: The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.

DISA Rule

SV-81139r2_rule

Vulnerability Number

V-66649

Group Title

SRG-NET-000063

Rule Version

JUSX-VN-000008

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The following example commands configure the IPSec proposal.

set security ipsec proposal <IPSEC-PROPOSAL-NAME> authentication-algorithm <hmac-sha-256-128 | hmac-sha-256-96 | hmac-sha1-96>

Check Contents

Verify all IPSec proposals are set to use the sha-256 hashing algorithm.

[edit]
show security ipsec proposal <IPSEC-PROPOSAL-NAME>

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm option for all defined proposals is not set to use SHA1 or greater, this is a finding.

Vulnerability Number

V-66649

Documentable

False

Rule Version

JUSX-VN-000008

Severity Override Guidance

Verify all IPSec proposals are set to use the sha-256 hashing algorithm.

[edit]
show security ipsec proposal <IPSEC-PROPOSAL-NAME>

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm option for all defined proposals is not set to use SHA1 or greater, this is a finding.

Check Content Reference

M

Target Key

3043

Comments