| V-214668 | | The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number o... |
| V-214669 | | The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less. | The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A... |
| V-214670 | | The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less. | When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during perio... |
| V-214671 | | The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase r... |
| V-214675 | | The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA256 or greater to negotiate hashing to protect the integrity of remote access sessions. | Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access VPN provides a... |
| V-214676 | | The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase r... |
| V-214678 | | If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. | Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase r... |
| V-214680 | | The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). | PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications.
Th... |
| V-214681 | | The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. | ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ... |
| V-214682 | | The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. | Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services ar... |
| V-214683 | | The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. | Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.... |
| V-214684 | | The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-214685 | | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-214688 | | The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides o... |
| V-214689 | | The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. | Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. IKE Dead Peer Detection (DPD) is a protocol that verifies the avail... |
| V-214691 | | The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-214693 | | The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. | Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD syst... |
| V-214694 | | The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-214695 | | The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizati... |
| V-214696 | | The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. | Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet.
The S... |
| V-214672 | | The Juniper SRX Services Gateway VPN must use AES256 for the IPsec proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Adva... |
| V-214673 | | The Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Adva... |
| V-214674 | | The Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher. | Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes... |
| V-214677 | | The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hash... |
| V-214679 | | The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. | Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate exp... |
| V-214686 | | The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-214690 | | The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Secur... |
| V-214692 | | The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
