STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.

DISA Rule

SV-214674r382783_rule

Vulnerability Number

V-214674

Group Title

SRG-NET-000062

Rule Version

JUSX-VN-000007

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

The following command is an example of how to configure the IKE (phase 1) proposals. The following groups are allowed for use in DoD:
DH Groups 14 (2048-bit MODP)
- 19 (256-bit Random ECP), 20 (384-bit Random ECP), 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS).

Example:
[edit]
set security ike proposal <P1-PROPOSAL-NAME> dh-group group14

Check Contents

Verify all IKE proposals are set to use a FIPS-validated dh-group.

[edit]
show security ike <P1-PROPOSAL-NAME>

View the IKE options dh-group option.

If the IKE option is not set to a FIPS-140-2 validated dh-group, this is a finding.

Vulnerability Number

V-214674

Documentable

False

Rule Version

JUSX-VN-000007

Severity Override Guidance

Verify all IKE proposals are set to use a FIPS-validated dh-group.

[edit]
show security ike <P1-PROPOSAL-NAME>

View the IKE options dh-group option.

If the IKE option is not set to a FIPS-140-2 validated dh-group, this is a finding.

Check Content Reference

M

Target Key

4009

Comments