Detections
Analytics
JUSX-VN-000012 - The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.
Information
Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised.To achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPsec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the CA trust point to enable certificate revocation check by referencing a CRL or via OCSP.See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_SRX_SG_Y25M01_STIG.zip
Item Details
Audit Name: DISA Juniper SRX Services Gateway VPN v3r2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|I, CCI|CCI-000366, Rule-ID|SV-214679r385561_rule, STIG-ID|JUSX-VN-000012, STIG-Legacy|SV-81111, STIG-Legacy|V-66621, Vuln-ID|V-214679
Plugin: Juniper
Control ID: 9b3f8e56fab949f588c751c0cccced866e85d3e0df9e2dc9fa9160688bed9055