STIGQter STIGQter: STIG Summary: Juniper SRX SG VPN Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 27 Oct 2017

CheckedNameTitle
SV-80511r1_ruleThe Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
SV-81107r1_ruleThe Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
SV-81109r1_ruleThe Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
SV-81111r1_ruleThe Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
SV-81113r1_ruleThe Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
SV-81115r1_ruleThe Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
SV-81119r1_ruleThe Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.
SV-81121r1_ruleThe Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less.
SV-81131r1_ruleThe Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.
SV-81133r1_ruleThe Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less.
SV-81135r1_ruleThe Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.
SV-81137r1_ruleThe Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
SV-81139r2_ruleThe Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.
SV-81141r1_ruleThe Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
SV-81143r1_ruleIf IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
SV-81145r1_ruleThe Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).
SV-81147r1_ruleThe Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
SV-81149r1_ruleThe Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
SV-81151r1_ruleThe Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
SV-81153r1_ruleThe Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-81155r1_ruleThe Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-81157r1_ruleThe Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
SV-81159r1_ruleThe Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-81161r1_ruleThe Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
SV-81163r1_ruleThe Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SV-81165r1_ruleThe Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.
SV-81167r1_ruleThe Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.
SV-81169r1_ruleThe Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.
SV-81171r1_ruleThe Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.