STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.

DISA Rule

SV-214529r559708_rule

Vulnerability Number

V-214529

Group Title

SRG-NET-000362-ALG-000112

Rule Version

JUSX-AG-000120

Severity

CAT I

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

The following example commands configure security screens under a profile named untrust-screen. Screen options, with configurable thresholds may be customized to minimize/prevent operational impact on traffic performance.

[edit]
set security screen ids-option <zone-name> <screen name> <option name> <value>

Based on 800-53 requirements and vendor recommendations, the following DoS screens are required, at a minimum, for use in DoD configurations.

set security screen ids-option untrust-screen icmp ip-sweep threshold 1000
set security screen ids-option untrust-screen tcp port-scan threshold 1000
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1000
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1100
set security screen ids-option untrust-screen tcp syn-flood source-threshold 100
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen udp flood threshold 5000
set security screen ids-option untrust-screen udp udp-sweep threshold 1000

To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name to the default zone named "untrust".

[edit]
set security zone security-zone <zone-name> screen <screen-profile>
Example: set security zones security-zone untrust screen untrust-screen

Check Contents

Run the following command to see the screen options currently configured:

[edit]
show security screen ids-option
show security zone match "screen"

If security screens are not configured or if the security zone is not configured with screen options, this is a finding.

Vulnerability Number

V-214529

Documentable

False

Rule Version

JUSX-AG-000120

Severity Override Guidance

Run the following command to see the screen options currently configured:

[edit]
show security screen ids-option
show security zone match "screen"

If security screens are not configured or if the security zone is not configured with screen options, this is a finding.

Check Content Reference

M

Target Key

4004

Comments