Detections
Analytics
JUSX-DM-000124 - The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
There are 2 approved methods for accessing the Juniper SRX which are, in order of preference, the SSH protocol and the console port.
Solution
Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza.[edit]
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh macs hmac-sha1
set system services ssh macs hmac-sha1-96
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y24M07_STIG.zip
Item Details
Audit Name: DISA Juniper SRX Services Gateway NDM v3r1
References: CAT|II, CCI|CCI-001941, Rule-ID|SV-223216r960993_rule, STIG-ID|JUSX-DM-000124, STIG-Legacy|SV-81003, STIG-Legacy|V-66513, Vuln-ID|V-223216
Plugin: Juniper
Control ID: 0e422971e91c8c55f81a38f8acbd8d79b13897acfaa4ab322fa0040a3dc2887a