From Juniper SRX SG VPN Security Technical Implementation Guide
Part of SRG-NET-000140
Associated with: CCI-000766
To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.
(i) Something you know (e.g., password/PIN);
(ii) Something you have (e.g., cryptographic identification device, token); or
(iii) Something you are (e.g., biometric).
A non-privileged account is any information system account with authorizations of a non-privileged user.
Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
Ask the site to identify the VPN access profile. Verify the access profile uses LDAP, not password configuration, for user remote access to the network. Ask the site if the LDAP server used authenticates users through PKI authentication.
show security access profile
Configure multifactor authentication by configuring an access profile for an authentication server or services to authenticate VPN users upon logon using DoD PKI.
set access profile dyn-vpn-ldap-xauth authentication-order ldap
set access profile dyn-vpn-ldap-xauth address-assignment pool dyn-vpn-pool
set access profile dyn-vpn-ldap-xauth ldap-options base-distinguished-name CN=Users, DC=firewall, DC=com (Location from where LDAP will start searching for users)
set access profile dyn-vpn-ldap-xauth ldap-options search search-filter sAMAccountName=
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search distinguished-name CN=Administrator, CN=Users, DC=firewall, DC=com (User who is authorized to search the ldap tree)
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search password
Lavender hyperlinks in small type off to the right (of CSS
id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header
Powered by sagemincer