I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-NDM-000344
Group -
The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs. The SRX generates a key-pair and a CSR. The CSR is sent to...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must use and securely configure SNMPv3 if SNMP is enabled.
To prevent nonsecure protocol communications with the organization's local SNMPv3 services, the SNMP client on the Juniper SRX must be configured for proper identification and strong cryptographica...Rule High Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.
Since the identity of the root account is well-known for systems based upon Linux or UNIX and this account does not have a setting to limit access attempts, there is risk of a brute force attack on...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.
Restricting the privilege to create a UNIX-level shell limits access to this powerful function. System administrators, regardless of their other permissions, will need to also know the root passwor...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.
Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any fi...Rule Medium Severity -
SRG-APP-000142-NDM-000245
Group -
The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.
Without centralized management, credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in a...Rule Medium Severity -
SRG-APP-000156-NDM-000250
Group -
The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...Rule Medium Severity -
SRG-APP-000164-NDM-000252
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. The shorter the password, the lower the number of possib...Rule Medium Severity -
SRG-APP-000166-NDM-000254
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by setting the password change type to character sets.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000166-NDM-000254
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one uppercase character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000167-NDM-000255
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000168-NDM-000256
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one numeric character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000169-NDM-000257
Group -
For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce password complexity by requiring at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-APP-000172-NDM-000259
Group -
The Juniper SRX Services Gateway must use the SHA256 or later protocol for password authentication for local accounts using password authentication (i.e., the root account and the account of last resort).
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily comp...Rule High Severity -
SRG-APP-000411-NDM-000330
Group -
For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA256 or higher to protect the integrity of maintenance and diagnostic communications.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Nonlocal maintenance and diagnostic activities are activities conducted by individu...Rule High Severity -
SRG-APP-000411-NDM-000330
Group -
The Juniper SRX Services Gateway must securely configure SSHv2 FIPS 140-2/140-3 validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.
To protect the integrity of nonlocal maintenance sessions, SSHv2 with HMAC algorithms for integrity checking must be configured. Nonlocal maintenance and diagnostic activities are activities cond...Rule High Severity -
SRG-APP-000412-NDM-000331
Group -
The Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of nonlocal maintenance and diagnostic communications using SNMP.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are act...Rule High Severity -
SRG-APP-000412-NDM-000331
Group -
The Juniper SRX Services Gateway must use SSHv2 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions using SSH.
To protect the confidentiality of nonlocal maintenance sessions when using SSH communications, SSHv2, AES ciphers, and key-exchange commands are configured. Nonlocal maintenance and diagnostic ac...Rule High Severity -
SRG-APP-000412-NDM-000331
Group -
For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.
Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in ...Rule Medium Severity -
SRG-APP-000190-NDM-000267
Group -
The Juniper SRX Services Gateway must terminate a device management session after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session. Quickly terminating an idle session also...Rule Medium Severity -
SRG-APP-000190-NDM-000267
Group -
The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded.
Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker. The keep-alive messages and the interval between each message are used t...Rule Medium Severity -
SRG-APP-000435-NDM-000315
Group -
The Juniper SRX Services Gateway must configure the control plane to protect against or limit the effects of common types of Denial of Service (DoS) attacks on the device itself by configuring applicable system options and internet-options.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Juniper SRX ...Rule Medium Severity -
SRG-APP-000435-NDM-000315
Group -
The Juniper SRX Services Gateway must limit the number of sessions per minute to an organization-defined number for SSH to protect remote access management from unauthorized access.
The rate-limit command limits the number of SSH session attempts allowed per minute which helps limit an attacker's ability to perform DoS attacks. The rate limit should be as restrictive as operat...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.