An error occurred:

Juniper SRX Services Gateway NDM STIG Version Comparison

Juniper SRX Services Gateway NDM Security Technical Implementation Guide

Comparison

There are 8 differences between versions v3 r1 (July 24, 2024) (the "left" version) and v3 r3 (Jan. 30, 2025) (the "right" version).

Check JUSX-DM-000110 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based.

Check Content

Verify the Juniper SRX is configured to synchronize internal information system clocks with the primary and secondary NTP sources. [edit] show system ntp If the NTP configuration is not configured to use authentication, this is a finding.

Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk, such as remote connections. The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; thus, a CAT 1 finding is allocated in CCI-000803. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The Juniper SRX supports multiple keys, multiple NTP servers, and different keys for each server; add the “key <key number>” parameter to the server statement to associate a key with a specific server.

Fix

The Juniper SRX can only be configured to use MD5 authentication keys. This algorithm is not FIPS 140-2 validated; therefore, it violates CCI-000803, which is a CAT 1. However, MD5 is preferred to no authentication at all. The following commands configure the Juniper SRX to use MD5 authentication keys. set system ntp authentication-key 1 type md5 set system ntp authentication-key 1 value "$9$EgfcrvX7VY4ZEcwgoHjkP5REyv87" set system ntp authentication-key 2 type md5 set system ntp authentication-key 2 value "kP5$EgvVfcrwgoY4X7ZEcH$9j RExz50" set system ntp server <NTP_server_IP> key 1 set system ntp server <NTP_server_IP> prefer set system ntp server <NTP_server_IP> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2