STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.

DISA Rule

SV-214690r383485_rule

Vulnerability Number

V-214690

Group Title

SRG-NET-000352

Rule Version

JUSX-VN-000023

Severity

CAT I

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

The following example commands configure the IKE (phase 1) Suite B proposal. Note that SRX must have Junos 12.1X46 or later to support SuiteB.

[edit]
set security ike proposal suiteb-proposal
set ike proposal suiteb-proposal authentication-method ecdsa-signatures-384
set ike proposal suiteb-proposal dh-group group20
set ike proposal suiteb-proposal authentication-algorithm sha-384
set ike proposal suiteb-proposal encryption-algorithm aes-256-cbc

Check Contents

Ask the site representative which proposal implements Suite B.

[edit]
show security ike <suiteb-proposal-name>

View the configured options.

If the value of the authentication-method and other options are not set for Suite B compliance, this is a finding.

Vulnerability Number

V-214690

Documentable

False

Rule Version

JUSX-VN-000023

Severity Override Guidance

Ask the site representative which proposal implements Suite B.

[edit]
show security ike <suiteb-proposal-name>

View the configured options.

If the value of the authentication-method and other options are not set for Suite B compliance, this is a finding.

Check Content Reference

M

Target Key

4009

Comments