DISA Juniper SRX Services Gateway VPN v3r1

Audit Details

Name: DISA Juniper SRX Services Gateway VPN v3r1

Updated: 8/26/2024

Authority: DISA STIG

Plugin: Juniper

Revision: 1.0

Estimated Item Count: 29

File Details

Filename: DISA_STIG_Juniper_SRX_Services_Gateway_VPN_v3r1.audit

Size: 75.2 kB

MD5: fd061ae52ed51d276c8b5f0e17f4d703
SHA256: 2e6e6f1ef4c9cde26031f2e3e1072ddd80471e5c82469ffc2863c85de297a7eb

Audit Items

DescriptionCategories
JUSX-VN-000001 - The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.

ACCESS CONTROL

JUSX-VN-000002 - The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less.

ACCESS CONTROL

JUSX-VN-000003 - The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less.

ACCESS CONTROL

JUSX-VN-000004 - The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.

ACCESS CONTROL

JUSX-VN-000005 - The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.

ACCESS CONTROL

JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.

ACCESS CONTROL

JUSX-VN-000007 - The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.

ACCESS CONTROL

JUSX-VN-000008 - The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.

ACCESS CONTROL

JUSX-VN-000009 - The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

ACCESS CONTROL

JUSX-VN-000010 - The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).

CONFIGURATION MANAGEMENT

JUSX-VN-000011 - If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.

CONFIGURATION MANAGEMENT

JUSX-VN-000012 - The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.

CONFIGURATION MANAGEMENT

JUSX-VN-000013 - The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).

CONFIGURATION MANAGEMENT

JUSX-VN-000014 - The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.

CONFIGURATION MANAGEMENT

JUSX-VN-000015 - The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

CONFIGURATION MANAGEMENT

JUSX-VN-000016 - The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.

CONFIGURATION MANAGEMENT

JUSX-VN-000017 - The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CONFIGURATION MANAGEMENT

JUSX-VN-000018 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IDENTIFICATION AND AUTHENTICATION

JUSX-VN-000019 - The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.

IDENTIFICATION AND AUTHENTICATION

JUSX-VN-000020 - The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.

IDENTIFICATION AND AUTHENTICATION

JUSX-VN-000021 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

IDENTIFICATION AND AUTHENTICATION

JUSX-VN-000022 - The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000023 - The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000024 - The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000025 - The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000026 - The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000027 - The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000028 - The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.

SYSTEM AND COMMUNICATIONS PROTECTION

JUSX-VN-000031 - The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.

IDENTIFICATION AND AUTHENTICATION