JUSX-DM-000114 - The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.

Information

Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing unauthorized access.

Solution

From the configuration mode, enter the following commands to disable TCP forwarding for the SSH protocol.

[edit]
set system services ssh no-tcp-forwarding

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|II, CCI|CCI-000382, Rule-ID|SV-223214r960966_rule, STIG-ID|JUSX-DM-000114, STIG-Legacy|SV-80999, STIG-Legacy|V-66509, Vuln-ID|V-223214

Plugin: Juniper

Control ID: 93c9b830c26ad8b59e5604c6028330bb9f98e491fef3863b1e54fcb99f111900