STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.

DISA Rule

SV-214693r383494_rule

Vulnerability Number

V-214693

Group Title

SRG-NET-000355

Rule Version

JUSX-VN-000026

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

The following example commands configure the IKE (phase 1) proposals. Use certificates instead of pre-shared keys to establish the IKE phase 1 tunnel.

This proposal requires AES 256-bit encryption

set security ike proposal p1-proposal authentication-method rsa-signatures

Check Contents

Verify the all IKE proposals are set to use the AES encryption algorithm.

[edit]
show security ike

View the value of the authentication-method for each defined proposal.

If the value of the authentication-method for each defined proposal is not set to use AES, this is a finding.

Vulnerability Number

V-214693

Documentable

False

Rule Version

JUSX-VN-000026

Severity Override Guidance

Verify the all IKE proposals are set to use the AES encryption algorithm.

[edit]
show security ike

View the value of the authentication-method for each defined proposal.

If the value of the authentication-method for each defined proposal is not set to use AES, this is a finding.

Check Content Reference

M

Target Key

4009

Comments