JUSX-VN-000012 - The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.

Information

Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.

To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPsec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|I, CCI|CCI-000366, Rule-ID|SV-214679r385561_rule, STIG-ID|JUSX-VN-000012, STIG-Legacy|SV-81111, STIG-Legacy|V-66621, Vuln-ID|V-214679

Plugin: Juniper

Control ID: 9b3f8e56fab949f588c751c0cccced866e85d3e0df9e2dc9fa9160688bed9055