JUSX-VN-000009 - The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

Information

Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.

Remote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.

Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

In phase-2, another negotiation is performed, detailing the parameters for the IPsec connection. New keying material using the Diffie-Hellman key exchange established in phase-1 is used to provide session keys used to protecting the VPN data flow. If Perfect-Forwarding-Secrecy (PFS) is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised; no subsequent keys can be derived.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The following example command is an example of an IPsec policy.

[edit]
set security ipsec policy <IPSEC-POLICY> perfect-forward-secrecy keys group14
set security ipsec policy <IPSEC-POLICY> proposals <IPSEC-PROPOSAL>

The following command is an example of how to define an IPsec VPN using the IPsec policy and a secure tunnel interface. Alternatively, administrators can configure on-traffic tunnel establishment.

[edit]
set security ipsec vpn <VPN> bind-interface st0.0
set security ipsec vpn <VPN> ike gateway <IKE-PEER>
set security ipsec vpn <VPN> ike ipsec-policy <IPSEC-POLICY>
set security ipsec vpn <VPN> establish-tunnels immediately

For site-to-site VPN implementation, the SRX device is configured to route traffic over the IPsec VPN's secure tunnel interface by establishing a route with the next-hop specified as the secure tunnel interface. The following commands configure an IPv4 and IPv6 static route for their respective secure tunnels.

set routing-options static route <IPv4 network/netmask> next-hop st0.0
set routing-options rib inet6.0 static route <IPv6 network/netmask> next-hop st0.1

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001414, Rule-ID|SV-214676r382735_rule, STIG-ID|JUSX-VN-000009, STIG-Legacy|SV-81141, STIG-Legacy|V-66651, Vuln-ID|V-214676

Plugin: Juniper

Control ID: 8bb70dd2b87d5c0d0f462fcc488bafbe6b2be51f4d8e9d87177c507fddfabe3e