STIGQter STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide

Version: 1

Release: 3 Benchmark Date: 26 Jul 2019

CheckedNameTitle
SV-80505r1_ruleIf the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface.
SV-80933r1_ruleFor local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created.
SV-80935r1_ruleThe Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified.
SV-80937r1_ruleThe Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted.
SV-80939r1_ruleThe Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
SV-80941r1_ruleIf SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3.
SV-80943r1_ruleFor nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.
SV-80945r1_ruleFor nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
SV-80947r1_ruleThe Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-80949r1_ruleFor local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events.
SV-80951r1_ruleFor local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events.
SV-80953r1_ruleFor local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events.
SV-80955r1_ruleFor local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events.
SV-80957r1_ruleThe Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.
SV-80959r1_ruleThe Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled.
SV-80961r1_ruleThe Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions.
SV-80963r1_ruleThe Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users.
SV-80965r1_ruleThe Juniper SRX Services Gateway must enable log record generation for DoD-defined auditable events within the Juniper SRX Service Gateway.
SV-80967r1_ruleFor local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues.
SV-80969r1_ruleThe Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected.
SV-80971r1_ruleIn the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally.
SV-80973r1_ruleThe Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC).
SV-80975r1_ruleThe Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates.
SV-80977r1_ruleThe Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network.
SV-80979r1_ruleThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
SV-80981r1_ruleThe Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management.
SV-80983r1_ruleThe Juniper SRX Services Gateway must use DoD-approved PKI rather than proprietary or self-signed device certificates.
SV-80985r1_ruleThe Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected.
SV-80987r1_ruleThe Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-80989r1_ruleFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.
SV-80991r1_ruleThe Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.
SV-80993r1_ruleThe Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.
SV-80997r1_ruleThe Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.
SV-80999r1_ruleThe Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.
SV-81001r1_ruleThe Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.
SV-81003r1_ruleThe Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-81005r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length.
SV-81007r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets.
SV-81009r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one upper-case character be used.
SV-81011r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lower-case character be used.
SV-81013r2_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used.
SV-81015r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used.
SV-81017r1_ruleFor local accounts using password authentication (i.e., the root account and the account of last resort) the Juniper SRX Services Gateway must use the SHA1 or later protocol for password authentication.
SV-81019r1_ruleFor nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications.
SV-81021r1_ruleFor nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configured SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
SV-81023r2_ruleFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.
SV-81025r1_ruleThe Juniper SRX Services Gateway must immediately terminate SSH network connections when the user logs off, the session abnormally terminates, or an upstream link from the managed device goes down.
SV-81027r1_ruleThe Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
SV-81029r1_ruleThe Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded.
SV-81031r1_ruleThe Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
SV-81033r1_ruleThe Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access.
SV-81035r1_ruleThe Juniper SRX Services Gateway must reveal log messages or management console alerts only to the ISSO, ISSM, and SA roles).
SV-81037r1_ruleThe Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD.
SV-81039r1_ruleThe Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH.
SV-81041r1_ruleThe Juniper SRX Services Gateway must generate a log event when privileged commands are executed.
SV-81043r1_ruleFor local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-81045r1_ruleThe Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access.
SV-81047r1_ruleThe Juniper SRX Services Gateway must allow only the ISSM (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs.
SV-81049r1_ruleThe Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur.
SV-81051r1_ruleThe Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges.
SV-81053r1_ruleThe Juniper SRX Services Gateway must generate log records when administrator privileges are deleted.
SV-81055r1_ruleThe Juniper SRX Services Gateway must generate log records when logon events occur.
SV-81057r1_ruleThe Juniper SRX Services Gateway must generate log records when privileged commands are executed.
SV-81059r1_ruleThe Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur.
SV-81061r1_ruleThe Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands.
SV-81063r1_ruleFor local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs.
SV-81085r1_ruleThe Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more.
SV-81087r1_ruleThe Juniper SRX Services Gateway must specify the order in which authentication servers are used.
SV-81089r1_ruleThe Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum.
SV-81091r1_ruleThe Juniper SRX Services Gateway must terminate the console session when the serial cable connected to the console port is unplugged.
SV-81093r1_ruleThe Juniper SRX Services Gateway must implement service redundancy to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself.
SV-81095r1_ruleFor nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.