STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.

DISA Rule

SV-214673r382783_rule

Vulnerability Number

V-214673

Group Title

SRG-NET-000062

Rule Version

JUSX-VN-000006

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

The following example commands configure the IKE (phase 1) proposals. The option may also be configured to use the aes-128-cbc, aes-192-cbc, or aes-256-cbc algorithms.

[edit]
set security ike proposal <IKE-PROPOSAL-NAME> encryption-algorithm aes-256-cbc

Check Contents

Verify all IKE proposals are set to use the AES encryption algorithm.

[edit]
show security ike

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.

Vulnerability Number

V-214673

Documentable

False

Rule Version

JUSX-VN-000006

Severity Override Guidance

Verify all IKE proposals are set to use the AES encryption algorithm.

[edit]
show security ike

View the value of the encryption algorithm for each defined proposal.

If the value of the encryption algorithm for any IKE proposal is not set to use an AES algorithm, this is a finding.

Check Content Reference

M

Target Key

4009

Comments