STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less.

DISA Rule

SV-214669r695322_rule

Vulnerability Number

V-214669

Group Title

SRG-NET-000517

Rule Version

JUSX-VN-000002

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Set the lifetime (in seconds) of the IPsec proposal to 8 hours or less.

Example:

[edit]
set security ipsec proposal <P2-PROPOSAL-NAME> lifetime-seconds 28800

Check Contents

Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The default is 3600.

[edit]
show security ipsec proposal

View the value of the lifetime-seconds option.

If the IPsec proposal lifetime-seconds are not renegotiated after 8 hours or less of idle time, this is a finding.

If the IPsec proposal lifetime-seconds is not configured, this is a finding.

Vulnerability Number

V-214669

Documentable

False

Rule Version

JUSX-VN-000002

Severity Override Guidance

Review all IPsec security associations configured globally or within IPsec profiles on the VPN gateway and examine the configured idle time. The default is 3600.

[edit]
show security ipsec proposal

View the value of the lifetime-seconds option.

If the IPsec proposal lifetime-seconds are not renegotiated after 8 hours or less of idle time, this is a finding.

If the IPsec proposal lifetime-seconds is not configured, this is a finding.

Check Content Reference

M

Target Key

4009

Comments