TickYouOff
Sign in
Back
🔒

Juniper SRX STIG Checklist

Medium 20 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist gathers core STIG-based actions to secure Juniper SRX Services Gateways (RE and PFE). It’s for network engineers, system administrators, and compliance officers who manage SRX devices and need a practical, orderable set of hardening and validation steps to meet DISA STIG requirements.

Source: https://ncp.nist.gov/checklist/657

Progress
0 / 20
  1. Verify Junos software version meets DoD minimum (12.1X46) or later — Record current version and planned upgrade target.
  2. Upgrade Junos to a supported, patched release if below minimum — Schedule maintenance window and follow vendor upgrade steps.
  3. Harden the management plane — Apply controls to protect RE and management interfaces.
  4. Enable SSH and disable insecure management protocols (telnet/http) — Allow only encrypted management protocols (SSH/HTTPS) where required.
  5. Restrict management access to authorized IPs and management VRFs — Use firewall filters or loopback/mgmt VRF for admin access.
  6. Configure role-based admin accounts and remove/disable default accounts — Assign least privilege and unique admin usernames.
  7. Enforce strong authentication (AAA/TACACS+/RADIUS, MFA where possible) — Integrate centralized auth and log authentication events.
  8. Configure centralized logging to a secure syslog/SIEM collector — Send audit and event logs off-box in real time.
  9. Verify log retention, rotation, and audit settings — Ensure logs meet retention and integrity requirements.
  10. Configure NTP with authenticated, trusted servers — Prevent time drift and ensure accurate timestamps.
  11. Harden PFE firewall policies and rulebase per STIG guidance — Audit policies for least privilege and explicit denies.
  12. Apply Application Layer Gateway (ALG) recommended settings — Configure ALG per STIG to avoid insecure ALGs.
  13. Enable and tune IDPS features when implemented by PFE — Apply signature tuning and drop/alert policies per STIG.
  14. Secure IPsec VPN configuration (IKE, ciphers, lifetimes) per STIG — Use approved algorithms and certificate-based auth when possible.
  15. Disable unused services and shut down unused interfaces — Remove or deny access to protocols and interfaces not required.
  16. Implement connection timeouts and session limits to mitigate resource exhaustion — Adjust TCP/UDP timeouts and maximum sessions appropriately.
  17. Back up running configuration and store backups securely off-device — Encrypt backups and verify restore process.
  18. Perform vulnerability scan and remediate identified findings — Include OS, services, and configuration checks against STIG items.
  19. Document configuration changes, exceptions, and risk acceptances — Keep evidence and authorizations for any STIG deviations.
  20. Schedule regular STIG compliance checks, patch cycles, and audits — Define cadence and owners for ongoing compliance.
Sign in to save
📝 My Notes