Detections
Analytics
JUSX-VN-000023 - The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network - IKE must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.
Information
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables commercial products to be used in layered solutions to protect classified National Security Systems (NSS) data. Currently, Suite B cryptographic algorithms are specified by NIST and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified NSS. However, quantum resistant algorithms will be required for future required Suite B implementations.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Navigate to the IKE proposal stanza.Example stanza.
[edit]
set security ike proposal <name-proposal>
set ike proposal <name-proposal> authentication-method ecdsa-signatures-384
set ike proposal <name-proposal> dh-group group20
set ike proposal <name-proposal> authentication-algorithm sha-384
set ike proposal <name-proposal> encryption-algorithm aes-256-cbc
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y25M01_STIG.zip
Item Details
Audit Name: DISA Juniper SRX Services Gateway VPN v3r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13, CAT|I, CCI|CCI-002450, Rule-ID|SV-214690r1056094_rule, STIG-ID|JUSX-VN-000023, STIG-Legacy|SV-81115, STIG-Legacy|V-66625, Vuln-ID|V-214690
Plugin: Juniper
Control ID: fcfbd952b61939f631321d86e2e1baaf3e6e5d25e99bc702eac730d468d2fbe2