STIGQter: STIG Summary: Juniper Router NDM Security Technical Implementation Guide Version: 1 Release: 5 Benchmark Date: 24 Jul 2020:

The Juniper router must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

DISA Rule

SV-101293r1_rule

Vulnerability Number

V-91193

Group Title

SRG-APP-000516-NDM-000344

Rule Version

JUNI-ND-001430

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001159 - The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider.

Weight

10

Fix Recommendation

Step 1. Create a trusted profile and email address to send certificate request to.

[edit security]
set pki ca-profile DODXX_CA ca-identity xxxxx.mil
set pki ca-profile DODXX_CA administrator email-address certadmin@xxxxx.mil

Step 2. Create a revocation check to specify a method for checking certificate revocation.

set pki ca-profile DODXX_CA revocation-check crl url http://server1.example.mil/CertEnroll/example.crl
set pki ca-profile DODXX_CA revocation-check crl refresh-interval 24

Check Contents

Review the router configuration to verify that it is compliant with this requirement. The configuration below is an example of a Certificate Authority profile defining name of the CA, the location of CRL for revocation check and to refresh the CRL every 24 hours, and the email address to send a certificate request.

security {
pki {
ca-profile DODXX_CA {
ca-identity xxxxx.mil;
revocation-check {
crl {
url http://server1.xxxxx.mil/CertEnroll/example.crl;
refresh-interval 24;
}
}
administrator {
email-address "certadmin@xxxxx.mil";
}
}
}
}

If the router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Vulnerability Number

V-91193

Documentable

False

Rule Version

JUNI-ND-001430

Severity Override Guidance

Review the router configuration to verify that it is compliant with this requirement. The configuration below is an example of a Certificate Authority profile defining name of the CA, the location of CRL for revocation check and to refresh the CRL every 24 hours, and the email address to send a certificate request.

security {
pki {
ca-profile DODXX_CA {
ca-identity xxxxx.mil;
revocation-check {
crl {
url http://server1.xxxxx.mil/CertEnroll/example.crl;
refresh-interval 24;
}
}
administrator {
email-address "certadmin@xxxxx.mil";
}
}
}
}

If the router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Check Content Reference

M

Target Key

3381

Comments