| Checked | Name | Title |
|---|
| ☐ | SV-214668r382774_rule | The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. |
| ☐ | SV-214669r695322_rule | The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less. |
| ☐ | SV-214670r695320_rule | The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less. |
| ☐ | SV-214671r382780_rule | The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. |
| ☐ | SV-214672r382783_rule | The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions. |
| ☐ | SV-214673r382783_rule | The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. |
| ☐ | SV-214674r382783_rule | The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group. |
| ☐ | SV-214675r382846_rule | The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions. |
| ☐ | SV-214676r382735_rule | The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. |
| ☐ | SV-214677r385561_rule | The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). |
| ☐ | SV-214678r385561_rule | If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. |
| ☐ | SV-214679r385561_rule | The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. |
| ☐ | SV-214680r385561_rule | The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). |
| ☐ | SV-214681r385561_rule | The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. |
| ☐ | SV-214682r382903_rule | The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. |
| ☐ | SV-214683r385486_rule | The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. |
| ☐ | SV-214684r385486_rule | The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-214685r385489_rule | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
| ☐ | SV-214686r385492_rule | The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. |
| ☐ | SV-214687r385516_rule | The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. |
| ☐ | SV-214688r385519_rule | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
| ☐ | SV-214689r695324_rule | The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. |
| ☐ | SV-214690r383485_rule | The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. |
| ☐ | SV-214691r383878_rule | The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. |
| ☐ | SV-214692r383107_rule | The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. |
| ☐ | SV-214693r383494_rule | The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-214694r383581_rule | The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. |
| ☐ | SV-214695r383596_rule | The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. |
| ☐ | SV-214696r385498_rule | The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. |
STIGQter: STIG Summary: