An error occurred:

Check: JUEX-NM-000500

Juniper EX Series Switches Network Device Management STIG: JUEX-NM-000500 (in versions v1 r5 through v1 r1)

Title

The Juniper EX switch must be configured to prohibit the use of cached authenticators after an organization-defined time period. (Cat II impact)

Discussion

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Check Content

Review the network device configuration to determine if the network device or its associated authentication server prohibits the use of cached authenticators after an organization-defined time period. Verify idle-timeouts, SSH keepalive messages, and SSH rekey are configured to meet the requirements of the target network. [edit system] login { idle-timeout 10; } system { services { ssh { protocol-version v2; client-alive-count-max (0..255); client-alive-interval (0..65535 seconds); rekey { data-limit (51200..4294967295 bytes); time-limit (1..1440 minutes); } } } } For externally authenticated accounts, verify the external authentication server enforces appropriate authenticator timeouts. If cached authenticators are used after an organization-defined time period, this is a finding.

Fix Text

Configure the network device or its associated authentication server to prohibit the use of cached authenticators after an organization-defined time period. set system login idle-timeout 10 set system services ssh protocol-version v2 set system services ssh client-alive-count-max (0..255) set system services ssh client-alive-interval (0..65535 seconds) set system services ssh rekey data-limit (51200..4294967295 bytes) set system services ssh rekey time-limit (1..1440 minutes)

Additional Identifiers

Rule ID: SV-253927r879773_rule

Vulnerability ID: V-253927

Group Title: SRG-APP-000400-NDM-000313

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001977

The organization defines the external organizations with which it will coordinate for cross-management of identifiers.
CCI-002007

The information system prohibits the use of cached authenticators after an organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-4 (6)

Cross-Organization Management
IA-5 (13)

Expiration Of Cached Authenticators