STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any Denial of Service (DoS) attacks against other networks or endpoints.

DISA Rule

SV-214532r557389_rule

Vulnerability Number

V-214532

Group Title

SRG-NET-000192-ALG-000121

Rule Version

JUSX-AG-000124

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning "untrust-screen" profile name.

Apply screen to each outbound interface example:

set security zones security-zone untrust interfaces <OUTBOUND-INTERFACE>
set security zones security-zone trust screen untrust-screen

Check Contents

Obtain and review the list of outbound interfaces and zones. This is usually part of the System Design Specification or Accreditation Package.

Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with DoS screens.

[edit]
show security zones <security-zone-name>

If the zone for the security screen has not been applied to all outbound interfaces, this is a finding.

Vulnerability Number

V-214532

Documentable

False

Rule Version

JUSX-AG-000124

Severity Override Guidance

Obtain and review the list of outbound interfaces and zones. This is usually part of the System Design Specification or Accreditation Package.

Review each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with DoS screens.

[edit]
show security zones <security-zone-name>

If the zone for the security screen has not been applied to all outbound interfaces, this is a finding.

Check Content Reference

M

Target Key

4004

Comments