STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.

DISA Rule

SV-223209r513316_rule

Vulnerability Number

V-223209

Group Title

SRG-APP-000142-NDM-000245

Rule Version

JUSX-DM-000109

Severity

CAT II

CCI(s)

CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

Fix Recommendation

Remove or deny nonsecure protocols to prevent their usage for nonlocal management and diagnostic communications.

Use the delete command to disable services that should not be enabled.

Example deletion commands:

[edit]
delete system services telnet
delete system services ftp
delete snmp v1
delete snmp v2c
delete set system services ssh protocol-version v1

Check Contents

Verify nonsecure protocols are not enabled for management access by viewing the enabled system services.

From the operational hierarchy:

> show config | match "set system services" | display set

From the configuration hierarchy:

[edit]
show snmp
show system services telnet
show system services ftp
show system services ssh

If nonsecure protocols and protocol versions such as Telnet, FTP, SNMPv1, SNMPv2c, or SSHv1 are enabled, this is a finding.

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments