STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.

DISA Rule

SV-223228r513373_rule

Vulnerability Number

V-223228

Group Title

SRG-APP-000412-NDM-000331

Rule Version

JUSX-DM-000152

Severity

CAT II

CCI(s)

• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Remove host-inbound-traffic systems-services option from zones not authorized for management traffic.

Remove unauthorized protocols (e.g., HTTP, HTTPS) from management zones that are configured to allow host-inbound-traffic system-services.

Check Contents

Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones.

[edit]
show security zones functional-zone management

If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.

Vulnerability Number

V-223228

Documentable

False

Rule Version

JUSX-DM-000152

Severity Override Guidance

Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones.

[edit]
show security zones functional-zone management

If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.

Check Content Reference

M

Target Key

4098

Comments