STIGQter: STIG Summary: Juniper SRX SG IDPS Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Jul 2017:

The Juniper Networks SRX Series Gateway IDPS must block any prohibited mobile code at the enclave boundary when it is detected.

DISA Rule

SV-80895r1_rule

Vulnerability Number

V-66405

Group Title

SRG-NET-000229-IDPS-00163

Rule Version

JUSX-IP-000009

Severity

CAT II

CCI(s)

• CCI-001662 - The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified.

Weight

10

Fix Recommendation

To enable IDP services to drop traffic when there is a detection event on a zone based on the IDP policy:

Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed.

Keep in mind that IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled.

To enable IDP on a security policy, enter the following command:

set security policies from-zone <FROM ZONE NAME> to-zone <TO ZONE NAME> policy <POLICY
NAME> then permit application-services idp

Check Contents

From operational mode, enter the following command to verify outbound zones are configured with an IDP policy:

show security idp policies

If zones bound to the outbound interfaces, including VPN zones, are not configured with policy filters, rules, signatures, and anomaly analysis, this is a finding.

Vulnerability Number

V-66405

Documentable

False

Rule Version

JUSX-IP-000009

Severity Override Guidance

From operational mode, enter the following command to verify outbound zones are configured with an IDP policy:

show security idp policies

If zones bound to the outbound interfaces, including VPN zones, are not configured with policy filters, rules, signatures, and anomaly analysis, this is a finding.

Check Content Reference

M

Target Key

3037

Comments