JUSX-DM-000124 - The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Information

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.

There are 2 approved methods for accessing the Juniper SRX which are, in order of preference, the SSH protocol and the console port.

Solution

Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza.

[edit]
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh macs hmac-sha1
set system services ssh macs hmac-sha1-96

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(8), CAT|II, CCI|CCI-001941, Rule-ID|SV-223216r960993_rule, STIG-ID|JUSX-DM-000124, STIG-Legacy|SV-81003, STIG-Legacy|V-66513, Vuln-ID|V-223216

Plugin: Juniper

Control ID: 0e422971e91c8c55f81a38f8acbd8d79b13897acfaa4ab322fa0040a3dc2887a