An error occurred:

Check: JUEX-NM-000340

Juniper EX Series Switches Network Device Management STIG: JUEX-NM-000340 (in version v2 r2)

Title

The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module. (Cat I impact)

Discussion

Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-validated and NIST-recommended authentication algorithms. Use only AES Counter (CTR) cipher block chaining modes in compliance with CVE-2008-5161, plugin 70658 based on vendor guidance in KB20853. This prevents certain plaintext attacks in OpenSSH.

Check Content

Verify the password format, and that SSH uses FIPS validated algorithms and random number generator (RNG) as shown in the following example configuration. user@host> show configuration system login { password { : format <sha-256|sha-512>; } } services { ssh { : ciphers [ aes256-ctr aes192-ctr ]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; : } } rng { hmac-drbg; } If the network device is not configured to use a FIPS 140-2/140-3 authentication algorithm, this is a finding.

Fix Text

Enter the CLI configuration mode and enter the following commands to set the password format, the SSH algorithms, and the RNG to meet site requirements. user@host> configure user@host# set system login password format <sha-256|sha-512> user@host# set system services ssh ciphers aes256-ctr user@host# set system services ssh ciphers aes192-ctr user@host# set system services ssh macs hmac-sha2-512 user@host# set system services ssh macs hmac-sha2-256 user@host# set system services ssh key-exchange ecdh-sha2-nistp521 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system rng hmac-drbg user@host# commit

Additional Identifiers

Rule ID: SV-253911r1028869_rule

Vulnerability ID: V-253911

Group Title: SRG-APP-000179-NDM-000265

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-7

Cryptographic Module Authentication