The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.

From Juniper SRX SG NDM Security Technical Implementation Guide

Associated with: CCI-001941

SV-81003r1_rule The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Vulnerability discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. There are 2 approved methods for accessing the Juniper SRX which are, in order of preference, the SSH protocol and the console port.

Check content

Verify SSH is configured to use a replay-resistant authentication mechanism. [edit] show system services ssh If SSH is not configured to use the MAC authentication protocol, this is a finding.

Fix text

Configure SSH to use a replay-resistant authentication mechanism. The following is an example stanza. [edit] set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha1-96

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.