JUEX-NM-000340 - The Juniper EX switch must be configured to use FIPS 140-2 approved algorithms for authentication to a cryptographic module.

Information

Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.

Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms.

Use only AES Counter (CTR) cipher block chaining modes in compliance with CVE-2008-5161, plugin 70658 based on vendor guidance in KB20853. This prevents certain plaintext attacks in OpenSSH.

Solution

Configure the network device to use FIPS 140-2 approved algorithms for authentication to a cryptographic module.

set system login password format <sha-256|sha-512>
set system services ssh ciphers aes256-ctr
set system services ssh ciphers aes192-ctr
set system services ssh ciphers aes128-ctr
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh key-exchange ecdh-sha2-nistp521
set system services ssh key-exchange ecdh-sha2-nistp384
set system services ssh key-exchange ecdh-sha2-nistp256
set system services ssh key-exchange dh-group14-sha1
set system rng hmac-drbg

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-7, CAT|I, CCI|CCI-000803, Rule-ID|SV-253911r961050_rule, STIG-ID|JUEX-NM-000340, Vuln-ID|V-253911

Plugin: Juniper

Control ID: 935e100d7ae5b34cc1d67a4d1ccc5b8c4f3ae1491b35ac2a8545da756c18b79f