Detections
Analytics

DISA Juniper SRX Services Gateway VPN v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Juniper SRX Services Gateway VPN v2r2

Updated: 8/26/2024

Authority: DISA STIG

Plugin: Juniper

Revision: 1.2

Estimated Item Count: 29

File Details

Filename: DISA_Juniper_SRX_Services_Gateway_VPN_v2r2_STIG.audit

Size: 67.1 kB

MD5: 1a649225535e9ad6d7f5e9f5012a2a03
SHA256: f100216433d770497456495d20c982685993648cde2b971bc2940909552d06ba

Audit Items

DescriptionCategories
JUSX-VN-000001 - The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.
JUSX-VN-000002 - The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less.
JUSX-VN-000003 - The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less.
JUSX-VN-000004 - The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.
JUSX-VN-000005 - The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.
JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.
JUSX-VN-000007 - The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.
JUSX-VN-000008 - The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.
JUSX-VN-000009 - The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
JUSX-VN-000010 - The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).
JUSX-VN-000011 - If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.
JUSX-VN-000012 - The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
JUSX-VN-000013 - The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).
JUSX-VN-000014 - The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
JUSX-VN-000015 - The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.
JUSX-VN-000016 - The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.
JUSX-VN-000017 - The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
JUSX-VN-000018 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
JUSX-VN-000019 - The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
JUSX-VN-000020 - The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
JUSX-VN-000021 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
JUSX-VN-000022 - The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.
JUSX-VN-000023 - The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
JUSX-VN-000024 - The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.
JUSX-VN-000025 - The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.
JUSX-VN-000026 - The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
JUSX-VN-000027 - The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.
JUSX-VN-000028 - The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.
JUSX-VN-000031 - The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.