The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.
An XCCDF Rule
Description
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; thus, a CAT 1 finding is allocated in CCI-000803. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The Juniper SRX supports multiple keys, multiple NTP servers, and different keys for each server; add the “key <key number>” parameter to the server statement to associate a key with a specific server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-223210r513319_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys.
set system ntp authentication-key 1 type md5
set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87"
set system ntp authentication-key 2 type md5
set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50"