STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.

DISA Rule

SV-214679r385561_rule

Vulnerability Number

V-214679

Group Title

SRG-NET-000512

Rule Version

JUSX-VN-000012

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.

Check Contents

Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.

If revoked certificates are accepted for PKI authentication, this is a finding.

Vulnerability Number

V-214679

Documentable

False

Rule Version

JUSX-VN-000012

Severity Override Guidance

Examine the CA trust point defined on the VPN gateway to determine if it references a CRL and that revocation check has been enabled. An alternate mechanism for checking the validity of a certificate is the use of the Online Certificate Status Protocol (OCSP). Unlike CRLs, which provide only periodic certificate status checks, OCSP can provide timely information regarding the status of a certificate.

If revoked certificates are accepted for PKI authentication, this is a finding.

Check Content Reference

M

Target Key

4009

Comments