JUSX-VN-000014 - The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.

Information

ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information.

ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure Phase 2 for ESP and allow IKE as a host-inbound service within the security zone associated with the IKE gateway's external interface configuration. Any traffic that you wish to encrypt is routed to this tunnel interface.

Example:

[edit
set security ipsec proposal IPSEC-PROPOSAL protocol esp

Assumes the external interface is associated with the 'untrust' zone.

[edit]
set security ike gateway <IKE-PEER> external-interface <EXTERNAL-INTERFACE-NAME>
set security zones security-zone untrust host-inbound-traffic system-services ike

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-214681r385561_rule, STIG-ID|JUSX-VN-000014, STIG-Legacy|SV-81147, STIG-Legacy|V-66657, Vuln-ID|V-214681

Plugin: Juniper

Control ID: 0459137dc4fee980061e83ffbb6a7039ca3141fcc7f2fae3ca3f960a240e5965