For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.

From Juniper SRX SG NDM Security Technical Implementation Guide

Part of SRG-APP-000412-NDM-000331

Associated with: CCI-003123

SV-81023r2_rule For nonlocal maintenance sessions, the Juniper SRX Services Gateway must ensure only zones where management functionality is desired have host-inbound-traffic system-services configured.

Vulnerability discussion

Add a firewall filter to protect the management interface. Note: The dedicated management interface (if present), and an interface placed in the functional zone management, will not participate in routing network traffic. It will only support device management traffic.The host-inbound-traffic feature of the SRX is an additional layer of security for system services. This function can be configured on either a per zone or a per interface basis within each individual security zone. By default, a security zone has all system services disabled, which means that it will not accept any inbound management or protocol requests on the control plane without explicitly enabling the service at either the interface or zone in the security zone stanzas.

Check content

Verify only those zones where management functionality is allowed have host-inbound-traffic system-services configured and that protocols such as HTTP and HTTPS are not assigned to these zones. [edit] show security zones functional-zone management If zones configured for host-inbound-traffic system-services have protocols other than SSH configured, this is a finding.

Fix text

Remove host-inbound-traffic systems-services option from zones not authorized for management traffic. Remove unauthorized protocols (e.g., HTTP, HTTPS) from management zones that are configured to allow host-inbound-traffic system-services.

Pro Tips

Powered by sagemincer