JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions - IKE proposal to protect the confidentiality of remote access sessions.

Information

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) algorithm is critical to ensuring the privacy of the IKE session responsible for establishing the security association and key exchange for an IPsec tunnel. AES is used for encryption operations.

The CNSSP 15 compliant algorithms recommended by the NSA for IKE are AES256 with SHA384 and DH-16 or higher.

Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include broadband and wireless connections.

Solution

The following example commands configure the IKE (phase 1) proposals.

[edit]
set security ike proposal <IKE-PROPOSAL-NAME> encryption-algorithm aes-256-cbc

Item Details

Audit Name: DISA Juniper SRX Services Gateway VPN v3r2

Category: ACCESS CONTROL

Plugin: Juniper

Control ID: 1f7654b16742d337d935ed2b1d88a94e6bb1e2757b72a354afb23c04ba6be489

Detections

Analytics

JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions - IKE proposal to protect the confidentiality of remote access sessions.

Information

Solution

See Also

Item Details