STIGQter STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.

DISA Rule

SV-223210r513319_rule

Vulnerability Number

V-223210

Group Title

SRG-APP-000395-NDM-000310

Rule Version

JUSX-DM-000110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys.

set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87"
set system ntp authentication-key 2 type md5
set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50"
set system ntp server <NTP_server_IP> key 1
set system ntp server <NTP_server_IP> prefer
set system ntp server <NTP_server_IP> key 2
set system ntp trusted-key 1
set system ntp trusted-key 2

Check Contents

Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources.

[edit]
show system ntp

If the NTP configuration is not configured to use authentication, this is a finding.

Vulnerability Number

V-223210

Documentable

False

Rule Version

JUSX-DM-000110

Severity Override Guidance

Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources.

[edit]
show system ntp

If the NTP configuration is not configured to use authentication, this is a finding.

Check Content Reference

M

Target Key

4098

Comments