kriterion 0.0.1

data/standards/stig_juniper_srx_sg_vpn.json

@@ -0,0 +1,185 @@
+{
+  "name": "stig_juniper_srx_sg_vpn",
+  "date": "2017-10-03",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Juniper SRX SG VPN Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-66021",
+      "title": "The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions.",
+      "description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) encryption is critical to ensuring the privacy of the IPsec session; it is imperative that AES is used for encryption operations.\n\nRemote access is access to DoD-non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections.\n\nWhile there is much debate about the security and performance of AES, there is a consensus that AES is significantly more secure than other algorithms currently supported by IPsec implementations. AES is available in three key sizes: 128, 192, and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66617",
+      "title": "The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.",
+      "description": "Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The Advance Encryption Standard (AES) algorithm is critical to ensuring the privacy of the IKE session responsible for establishing the security association and key exchange for an IPsec tunnel. AES is used for encryption operations.\n\nRemote access is access to DoD-non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections.\n\nWhile there is much debate about the security and performance of AES, there is a consensus that AES is significantly more secure than other algorithms currently supported by IPsec implementations. AES is available in three key sizes: 128, 192, and 256 bits, versus the 56 bit DES. Therefore, there are approximately 1021 times more AES 128-bit keys than DES 56-bit keys. In addition, AES uses a block size of 128 bits—twice the size of DES or 3DES.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66619",
+      "title": "The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).",
+      "description": "Without IKE, the SPI is manually specified for each security association. IKE peers will negotiate the encryption algorithm and authentication or hashing methods as well as generate the encryption keys. \n\nAn IPsec SA is established using either Internet Key Exchange (IKE) or manual configuration. When using IKE, the security associations are established when needed and expire after a period of time or volume of traffic threshold. If manually configured, they are established as soon as the configuration is complete at both end points and they do not expire. When using IKE, the Security Parameter Index (SPI) for each security association is a pseudo-randomly derived number. \n\nWith manual configuration of the IPsec security association, both the cipher key and authentication key are static. Hence, if the keys are compromised, the traffic being protected by the current IPsec tunnel can be decrypted as well as traffic in any future tunnels established by this SA. Furthermore, the peers are not authenticated prior to establishing the SA, which could result in a rogue device establishing an IPsec SA with either of the VPN end points.\n\nIKE provides primary authentication to verify the identity of the remote system before negotiation begins. This feature is lost when the IPsec security associations are manually configured, which results in a non-terminating session using static pre-shared keys.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66621",
+      "title": "The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication.",
+      "description": "Situations may arise in which the certificate issued by a Certificate Authority (CA) may need to be revoked before the lifetime of the certificate expires. For example, the certificate is known to have been compromised. \n\nTo achieve this, a list of certificates that have been revoked, known as a Certificate Revocation List (CRL), is sent periodically from the CA to the IPsec gateway. When an incoming Internet Key Exchange (IKE) session is initiated for a remote client or peer whose certificate is revoked, the CRL will be checked to see if the certificate is valid; if the certificate is revoked, IKE will fail and an IPsec security association will not be established for the remote endpoint.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66623",
+      "title": "The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.",
+      "description": "To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. \n\nMultifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for non-privileged account is not authorized.\n\nFactors include:\n(i) Something you know (e.g., password/PIN); \n(ii) Something you have (e.g., cryptographic identification device, token); or \n(iii) Something you are (e.g., biometric). \n\nA non-privileged account is any information system account with authorizations of a non-privileged user. \n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.\n\nThe DoD CAC with DoD-approved PKI is an example of multifactor authentication.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66625",
+      "title": "The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRFC 6379 Suite B Cryptographic Suites for IPsec defines four cryptographic user interface suites for deploying IPsec. Each suite provides choices for Encapsulating Security Payload (ESP) and IKE. The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66629",
+      "title": "The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number.",
+      "description": "Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66631",
+      "title": "The Juniper SRX Services Gateway VPN must renegotiate the security association after 8 hours or less.",
+      "description": "The IPsec SA and its corresponding key will expire either after the number of seconds or amount of traffic volume has exceeded the configured limit. A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that a new SA is ready for use when the old one expires. The longer the lifetime of the IPsec SA, the longer the lifetime of the session key used to protect IP traffic. The SA is less secure with a longer lifetime because an attacker has a greater opportunity to collect traffic encrypted by the same key and subject it to cryptanalysis. However, a shorter lifetime causes IPsec peers to renegotiate Phase II more often resulting in the expenditure of additional resources. \n\nFor the Juniper SRX, specify the lifetime (in seconds) of an Internet Key Exchange (IKE) security association (SA). When the SA expires, it is replaced by a new SA, the security parameter index (SPI), or terminated if the peer cannot be contacted for renegotiation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66641",
+      "title": "The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.",
+      "description": "Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).\n\nAn IPsec Security Associations (SA) is established using either IKE or manual configuration.",
+      "severity": "high"
+    },
+    {
+      "id": "V-66643",
+      "title": "The Juniper SRX Services Gateway VPN must renegotiate the security association after 24 hours or less.",
+      "description": "When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66645",
+      "title": "The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements.",
+      "description": "Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. \n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66647",
+      "title": "The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group.",
+      "description": " Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66649",
+      "title": "The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions.",
+      "description": "Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. \n\nRemote access VPN provides access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66651",
+      "title": "The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.",
+      "description": "Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. \n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). \n\nIn phase-2, another negotiation is performed, detailing the parameters for the IPsec connection. New keying material using the Diffie-Hellman key exchange established in phase-1 is used to provide session keys used to protecting the VPN data flow. If Perfect-Forwarding-Secrecy (PFS) is used, a new Diffie-Hellman exchange is performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised; no subsequent keys can be derived.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66653",
+      "title": "If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.",
+      "description": "Remote access devices, such as those providing remote access to network devices and information systems, which lack automated, capabilities increase risk and makes remote user access management difficult at best.\n\nRemote access is access to DoD non-public information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. \n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66655",
+      "title": "The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS).",
+      "description": "PFS generates each new encryption key independently from the previous key. Without PFS, compromise of one key will compromise all communications. \n\nThe phase 2 (Quick Mode) Security Association (SA) is used to create an IPsec session key. Hence, its rekey or key regeneration procedure is very important. The phase 2 rekey can be performed with or without Perfect Forward Secrecy (PFS). With PFS, every time a new IPsec Security Association is negotiated during the Quick Mode, a new Diffie-Hellman (DH) exchange occurs. The new DH shared secret will be included with original keying material (SYKEID_d, initiator nonce, and responder nonce from phase 1) for generating a new IPsec session key. If PFS is not used, the IPsec session key will always be completely dependent on the original keying material from the Phase-1. Hence, if an older key is compromised at any time, it is possible that all new keys may be compromised. \n\nThe DH exchange is performed in the same manner as was done in phase 1 (Main or Aggressive Mode). However, the phase 2 exchange is protected by encrypting the phase 2 packets with the key derived from the phase 1 negotiation. Because DH negotiations during phase 2 are encrypted, the new IPsec session key has an added element of secrecy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66657",
+      "title": "The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.",
+      "description": "ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information.\n\nESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66659",
+      "title": "The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.",
+      "description": "Network devices are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the SRX. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nServices that may be related security-related, but based on the role of the device in the architecture do not need to be installed. For example, the Juniper SRX can have an Antivirus, Web filter, IDS, or ALG license. However, if these functions are not part of the documented role of the SRX in the enterprise or branch architecture, then these the software and licenses should not be installed on the device. This mitigates the risk of exploitation of unconfigured services or services that are not kept updated with security fixes. If left unsecured, these services may provide a threat vector.\n\nOnly remove unauthorized services. This control is not intended to restrict the use of Juniper SRX devices with multiple authorized roles.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66661",
+      "title": "The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.",
+      "description": "Use of IKEv2 leverages DoS protections because of improved bandwidth management and leverages more secure encryption algorithms.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66663",
+      "title": "The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.",
+      "description": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.\n\nDoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The PPSM CAL and vulnerability assessments provide an authoritative source for ports, protocols, and services that are unauthorized or restricted across boundaries on DoD networks.\n\nThe Juniper SRX must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66665",
+      "title": "The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).",
+      "description": "To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. \n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n\n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66667",
+      "title": "The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.",
+      "description": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised.\n\nNetwork elements utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66669",
+      "title": "The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).",
+      "description": "Lack of authentication and identification enables non-organizational users to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. \n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66671",
+      "title": "The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66673",
+      "title": "The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.",
+      "description": "Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Internet Key Exchange (IKE) authentication certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet. Network elements that perform these functions must be able to identify which session identifiers were generated when the sessions were established.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66675",
+      "title": "The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.",
+      "description": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nAccess control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic, ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet) must be kept separated.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66677",
+      "title": "The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.",
+      "description": "Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.\n\nA VPN hardware or software client with split tunneling enabled provides an unsecured backdoor to the enclave from the Internet. With split tunneling enabled, a remote client has access to the Internet while at the same time has established a secured path to the enclave via an IPsec tunnel. A remote client connected to the Internet that has been compromised by an attacker in the Internet, provides an attack base to the enclave’s private network via the IPsec tunnel. Hence, it is imperative that the VPN gateway enforces a no split-tunneling policy to all remote clients.\n\nTraffic to the protected resource will go through the specified dynamic VPN tunnel and will therefore be protected by the Juniper SRX firewall’s security policies.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66679",
+      "title": "The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.",
+      "description": "Anti-replay is an IPsec security mechanism at a packet level which helps to avoid unwanted users from intercepting and modifying an ESP packet.\n\nThe SRX adds a sequence number to the ESP encapsulation which is verified by the VPN peer so packets are received within a correct sequence. This will cause issues if packets are not received in the order in which they were sent out.\n\nBy default the SRX has a replay window of 64 or 32, depending on the platform. The SRX drops packets received out of order that are not received within this window. However, this default may be overridden by setting the option no-anti-replay as follows: set security vpn name ike no-anti-replay.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-66681",
+      "title": "The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session.",
+      "description": "Idle TCP sessions can be susceptible to unauthorized access and hijacking attacks. By default, routers do not continually test whether a previously connected TCP endpoint is still reachable. If one end of a TCP connection idles out or terminates abnormally, the opposite end of the connection may still believe the session is available. These “orphaned” sessions use up valuable router resources and can also be hijacked by an attacker. To mitigate this risk, routers must be configured to send periodic keep alive messages to check that the remote end of a session is still connected. If the remote device fails to respond to the TCP keep alive message, the sending router will clear the connection and free resources allocated to the session.\n\nThe TCP keep-alive for remote access is implemented in the Juniper SRX Firewall STIG.",
+      "severity": "low"
+    }
+  ]
+}

data/standards/stig_keyboard_video_and_mouse_switch.json

@@ -0,0 +1,269 @@
+{
+  "name": "stig_keyboard_video_and_mouse_switch",
+  "date": "2015-12-09",
+  "description": "The Keyboard Video and Mouse Switch (KVM) STIG includes the computing requirements for KVM switches operating to support the DoD. The Keyboard Video and Mouse Switch STIG must also be applied for each site using KVM switches. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "Keyboard Video and Mouse Switch STIG",
+  "version": "2",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-6675",
+      "title": "Written user agreements for all users authorized to use the KVM or A/B switch must be maintained.",
+      "description": "A written user agreement allows the ISSO to be certain the end user that will be using the equipment has been presented with the documentation that explains their duties and responsibilities in relation to the equipment and they have acknowledged that they have read the documentation and understand it. Though there is no guarantee the user will perform as required, it will lessen the problems caused by uninformed users.\n\n The ISSO will maintain written user agreements for all users authorized to use the KVM or A/B switch.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6676",
+      "title": "A SFUG, or an equivalent document, that describes the correct uses of the switch and user responsibilities, must be maintained and distributed.",
+      "description": "The SFUG (Security Features User Guide) or an equivalent document describes the user’s security responsibilities including any site-specific requirements. This gives the user a single reference source for both initial indoctrination and for later review. The distribution of the SFUG will lessen the vulnerabilities created by user ignorance of policy or procedures required by the site. By keeping this document current the user will have the current policies and procedures available. The ISSO will maintain and distribute to the users a SFUG, or an equivalent document, that describes the correct uses of the switch and the user’s responsibilities.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6677",
+      "title": "The KVM switch must be physically protected in accordance with the requirements of the highest classification for any IS connected to the KVM switch.",
+      "description": "If the KVM switch is not physically protected in accordance with the requirements of the highest classification for any IS connected to the KVM switch, the KVM switch can be tampered with leading to the compromise of sensitive data or a denial of service caused by the disruption of the systems the KVM switch is connected.\n\nThe ISSO or SA will ensure the KVM switch is physically protected in accordance with the requirements of the highest classification for any IS connected to the KVM switch.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-6678",
+      "title": "Smart (intelligent or programmable) keyboard must not be used in conjunction with a KVM switch when the KVM switch is connected to ISs of different classification and/or sensitivity levels.",
+      "description": "In an environment where the KVM switch is connected to ISs of different classification and/or sensitivity levels, a smart (intelligent or programmable) keyboard can transfer sensitive data from one system to another leading to the compromise of data.\n\nThe ISSO or SA will ensure a smart (intelligent or programmable) keyboard is not used in conjunction with a KVM switch when the switch is connected to ISs of different classification and/or sensitivity levels.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6679",
+      "title": "A wireless keyboard or mouse that is compliance with the current Wireless Keyboard and Mouse STIG must be attached to a KVM switch.",
+      "description": "Signals from a wireless device can be intercepted and decoded which can lead to the compromise of sensitive data.\n\nThe ISSO or SA will ensure wireless keyboards or mice attached to KVM switches are in compliance with the current Wireless Keyboard and Mouse STIG.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6680",
+      "title": "The desktop background of information systems attached to a KVM switch must be labeled with the proper classification banners.",
+      "description": "Without the banners to identify the information system the KVM switch is currently active on, the user could enter a command to the wrong information system and create a denial of service or the user could enter data into the wrong system creating either a security incident (data entered to a system of the wrong classification) or a compromise of sensitive data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6681",
+      "title": "A KVM switch with configurable features must have the configuration protected from modification with a DoD compliant password.",
+      "description": "If the KVM switch is configurable, some features that are available such as auto toggling between attached ISs are not permitted. If the configuration is not protected by a password it can be modified by any user allowing features that are not permitted. This can lead to the compromise of sensitive data.\n\nIf the KVM switch has configurable features, the ISSO or SA will ensure the configuration is protected from modification with a DoD compliant password.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6682",
+      "title": "The KVM switch feature for automatically toggling between ISs must be disabled.",
+      "description": "The feature that automatically toggles between connected ISs or active ISs can cause a screen to be automatically displayed that contains sensitive information. This can lead to the compromise of sensitive data.\n\nThe ISSO or SA will ensure the feature for automatically toggling between ISs is disabled.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6683",
+      "title": "A hot key feature must not be enabled other than the menu feature that allows the user to select the IS to be used from the displayed menu.",
+      "description": "There are many \"hot key\" features that could be used. Since each vender has a different set of features and it is impractical to review all features from all venders for potential vulnerabilities, no features other than the ability to bring up a menu of the ISs available on the KVM switch to allow the user to select which IS they wish to display will be enabled. Additional features will be approved if requested and time is available to review the feature and its implementation.\n\nThe ISSO or SA will ensure the only “hot key” feature enabled is the menu feature that allows the user to select the IS to be used from the displayed menu.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6684",
+      "title": "A machine-readable or a paper-document backup must be maintained for the configuration of the KVM switch.",
+      "description": "Without a backup of the KVM switch's configuration, you can have a denial of service if the configuration cannot be restored quickly in the event it is lost or a faulty switch needs to be replaced.\n\nThe ISSO or SA will ensure a machine-readable or a paper-document backup is maintained for the configuration of the KVM switch.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6685",
+      "title": "A written description of the KVM switch, the ISs attached to the KVM switch, and the classification level of each IS attached to the KVM switch must be maintained.",
+      "description": "Without a written description of the KVM switch, the ISs attached to the KVM switch, and the classification level of each IS attached to the KVM switch, tampering with the KVM switch by adding or moving connections cannot be verified and the physical configuration cannot be reproduced if needed. This can lead to a denial of service or a compromise of sensitive data if a connection is removed, moved, or added.\n\nThe ISSO will maintain a written description of the KVM switch, the ISs attached to the KVM switch, and the classification level of each IS attached to the KVM switch.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6686",
+      "title": "The KVM switch must be configured to force the change of the configuration password every 90 days or there is no policy and procedure in place to change the configuration password every 90 days.",
+      "description": "The longer the time between password changes the greater the chance the password will become compromised. A compromised password can allow a malicious user to change the configuration of the KVM switch creating a denial of service or a compromise of sensitive data.\n\nThe ISSO will ensure the KVM switch is configured to force the change of the configuration password every 90 days or there is a policy and procedure in place to change the configuration password every 90 days.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6687",
+      "title": "The KVM switch has the ability to support a RAS connection, this feature must be disabled or the connectors on the KVM switch supporting this feature must be blocked with a tamper evident seal.",
+      "description": "KVM switches that support Dialup Remote Access Services (RAS) do not support a robust identification and authorization process or robust auditing; therefore this feature will not be used. Tamper evident seals over the port(s) that support this feature will serve as an indicator that this feature may not been used for unauthorized access to the KVM switch.\n\nThe ISSO has not ensured, if the KVM switch has the ability to support a RAS connection, this feature is disabled and the connectors on the KVM switch supporting this feature are blocked with a tamper evident seal.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6698",
+      "title": "Written permission from the AO responsible for each IS attached to a KVM switch that is attached to ISs of different classification levels must be maintained.",
+      "description": "The AO responsible for an IS attached to a KVM switch that has other ISs attached of differing classifications levels must approve of the use of the KVM switch. The AO is the only individual that may be cognizant of the nature of the data accessible from the IS and what requirements have been placed on its access. There may be a need to have the system isolated from KVM switches even though they are approved for use in spanning classification levels.\n\nWhen the ISs are of different classification levels, the ISSM will maintain written permission from all AOs responsible for all ISs connected to a KVM switch.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6699",
+      "title": "KVM or A/B switches must be approved prior to being connected to ISs of different classification levels.",
+      "description": "Only KVM switches that have been tested and verified to prevent the transfer of data from one IS to another will be used when the ISs connected to the switch are of differing classification levels. The switch will be operated in the approved port configuration only. When the KVM switch is attached to ISs of different classification levels, the ISSO will ensure only approved KVM or A/B switches are used.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6700",
+      "title": "A KVM switch must not be cascaded while being attached to ISs of different classification levels.",
+      "description": "Cascading KVM switches, connecting one switch to another switch, can make it difficult to determine which system is currently connected to the keyboard, video monitor, and mouse by simple observation. In situations where the ISs are of differing classification levels this could lead to the compromise of sensitive or classified data or a denial of service caused by a privileged command being given to the wrong system.\n\nWhen the KVM switch is attached to ISs of different classification levels, the ISSO or SA will ensure no KVM switches are cascaded.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6701",
+      "title": "Tamper evident seals must be attached to the KVM switch and all IS cables at their attachment points where the KVM switch is attached to ISs of different classification levels.",
+      "description": "Tamper evident seals are designed to break if tampered with or show evidence of tampering. They are used to indicate a cabinet has been opened or a cable has been removed, moved or added. For KVM switches attached to ISs of differing classification levels it is necessary to be aware of any potential tampering with the connections. Switching the cables for two ISs could lead to the compromise of sensitive data. Removal of a cable could lead to a denial of service until it is reattached.\n\nThe ISSO or SA will ensure tamper evident seals are attached to the KVM switch and all IS cables at their attachment points.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6702",
+      "title": "A KVM switch must not be used to switch a peripheral other than a keyboard, video monitor, or mouse in an environment where the KVM switch is attached to ISs of different classification levels..",
+      "description": "Peripheral devices, other than keyboards, video monitors, and mice, can contain persistent memory and allow data to move between ISs of differing classification levels creating an unacceptable situation. This includes the ability to switch a smart card reader. If the switch has the ability to switch other peripheral devices and the feature is not disabled it will be assumed it is being used.\n\nWhen the KVM switch is attached to ISs of different classification levels, the ISSO or SA will ensure the KVM switch’s ability to switch peripheral devices other than the keyboard, video, and mouse is disabled.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6703",
+      "title": "Peripherals other than a keyboard, video monitor, or mouse must not be attached to a KVM switch that is attached to ISs of different classification levels.",
+      "description": "It will be assumed that any peripheral other than a keyboard, video monitor, or mouse attached to a KVM switch is intended to be used regardless of the current configuration of the KVM switch. This peripheral can contain persistent memory that can be used to move data between ISs of different classification levels compromising either the data that was moved and the IS to which the data was moved.\n\nWhen the KVM switch is attached to ISs of different classification levels, the ISSO, the SA, and the user will ensure no peripherals other than the keyboard, video, or mouse is connected to the KVM.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6704",
+      "title": "A KVM switch, which is attached to ISs of different classification levels, must have connections for peripherals, other than the keyboard, video monitor, or mouse, blocked with tamper evident seals.",
+      "description": "It will be assumed that KVM switches that can switch peripherals other than the keyboard, video monitor, and mouse, that are attached to ISs of differing classification levels, and that do not have the connectors for the additional peripherals blocked with tamper evident seals, have been tampered with and have been used to transfer data between ISs of different classifications levels until proven otherwise. If data is transferred between ISs of different classification levels the data has been compromised and the receiving IS has been compromised. \n\nWhen the KVM switch is attached to ISs of different classification levels, the ISSO or SA will ensure the connectors for additional peripherals are blocked with tamper evident seals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6705",
+      "title": "A network attached KVM switch used to administer ISs must be attached to an out-of-band network.",
+      "description": "If a network attached KVM switch is attached to an out-of-band network there is less opportunity for a malicious user to compromise the interface and create a denial of service by issuing disruptive commands to a server.\n\nThe ISSO or SA will ensure a network attached KVM switch used to administer ISs is connected to an out-of-band network.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6706",
+      "title": "The network attached KVM switch must not be attached to a network that is not at the same classification level as the ISs attached.",
+      "description": "If a network attached KVM switch is attached to a network of a different classification level than the ISs attached to the KVM switch, this could lead to a compromise of sensitive data either on the network or on the ISs.\n\nThe ISSO will ensure network attached KVM switches are only connected to a network at the same classification level as the ISs attached.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6707",
+      "title": "The network-facing component of a network attached KVM switch must be compliant with the current Network Infrastructure STIG.",
+      "description": "If the network facing components of a network attached KVM switch are not in compliance with the Network Infrastructure STIG the KVM switch could expose the network to vulnerabilities that could lead to a denial of service caused by the disruption of the network or a compromise of sensitive data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6708",
+      "title": "The KVM switch must be configured to require the user to login to the KVM switch to access the ISs attached.",
+      "description": "Without identification and authentication of the user accessing the network attached KVM switch anyone can access the ISs attached and if they have knowledge of a valid user id and password for the IS, disrupt the system causing a denial of service or access sensitive data compromising that data.\n\nThe ISSO will ensure the KVM switch is configured to require the user to login to the KVM switch to access the ISs attached. PKI authentication is acceptable and preferred to password authentication.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6709",
+      "title": "The KVM switch must be configured to require DoD compliant passwords.",
+      "description": "Strong passwords are harder to guess or discover via brute force making the system more secure from malicious tampering.\n\nThe ISSO will ensure the KVM switch is configured to require DoD compliant passwords.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6710",
+      "title": "Group or shared user ids must not be used on a network attached KVM switch.",
+      "description": "Usage of group or shared user ids makes it impossible to attribute an action to the originating user. In the case of a malicious action this could make prosecution impossible.\n\nThe ISSO will ensure group or shared user ids are not used.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6711",
+      "title": "The network attached KVM switch must be configured to restrict a users access only to the systems they require.",
+      "description": "Users accessing ISs they do not need access to can lead to the compromise of sensitive data.\n\nThe ISSO will ensure the KVM switch is configured to restrict a user’s access to only the systems they require.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6712",
+      "title": "The network attached KVM switch must display an Electronic Notice and Consent Banner complaint with requirements of CJSCM 6510.01.",
+      "description": "The warning banner notifies the user they are accessing a DoD system and they consent to having their actions monitored. Without this banner it is difficult to prosecute individuals who violate the usage restrictions of the IS.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6713",
+      "title": "The KVM switch must be configured to use encrypted communications with FIPS 140-2 validated cryptography.",
+      "description": "Because all administrative traffic contains sensitive data such as unencrypted passwords, it will be encrypted to protect it from interception. The KVM switch will be configured to require encryption for all communications via the network. NIST FIPS 140-2 validated cryptography will be used.\n\nThe ISSO or SA will ensure the KVM switch is configured to use encrypted communications using FIPS 140-2 validated cryptography.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6714",
+      "title": "The KVM switch must be configured to encapsulate and send USB connections other than KVM connections.",
+      "description": "Some network attached KVM switched can encapsulate USB connections other than the keyboard, video monitor, and mouse connections. This connection could be a disk drive connection and could allow the transfer of data between the ISs attached to the KVM switch and the client system attached via IP to the KVM switch leading to a compromise of sensitive data.\n The ISSO or SA will ensure the KVM switch is not configured to encapsulate and send USB connections other than KVM connections.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6715",
+      "title": "Unused USB ports on the KVM switch must be blocked with tamper evident seals on a KVM switch that can encapsulate and send the USB protocol over the network to the client.",
+      "description": "By blocking the unused USB ports on a network attached KVM switch that can encapsulate USB over IP with tamper evident seals there will be an indication if someone has attached an unauthorized USB connection to the KVM switch. When a seal is found to have been tampered with or broken, it should be investigated.\n\nThe ISSO will ensure any open USB ports on the KVM switch are blocked with tamper evident seals.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6716",
+      "title": "A network attached KVM switch must not be configured to control the power supplied to the ISs attached to the KVM switch or the connectors on the KVM switch that support this feature are not blocked with tamper evident seals.",
+      "description": "If a network attached KVM switch can control the power to the ISs attached to it and the KVM switch is compromised, a denial of service can be caused by powering off all the ISs attached to the KVM switch without accessing the individual ISs.\n\nThe ISSO will ensure any feature that allows the KVM switch to directly control the power supplied to the ISs is not configured or used, and any connectors on the KVM switch used to support this feature are blocked with a tamper evident seal.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6717",
+      "title": "A network attached KVM switch must not be attached to ISs of different classification levels.",
+      "description": "Because of the problems inherent in the spanning of networks of different classification levels, network attached KVM switches will not be attached to ISs of different classification levels. This can lead to the compromise of sensitive data.\n\nThe ISSO will ensure the network attached KVM switches are not attached to ISs of different classification levels.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6718",
+      "title": "There must be user agreements documenting the use of A/B switches.",
+      "description": "A signed user agreement is proof that the user has been informed of his security responsibilities when using an A/B switch.\n\nThe ISSO will maintain written user agreements for all users authorized to use an A/B switch.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6719",
+      "title": "There must be user documentation describing the correct usage and user responsibilities for an A/B switch.",
+      "description": "The Security Features Users Guide (SFUG) gives the user a single source to find security policy and guidance as to the user’s responsibility for security. The general policies and user responsibilities as apply to A/B switches and any local security policies will be placed in the SFUG or similar document.\n\nThe ISSO will maintain and distribute to the users a SFUG that describes the correct uses of an A/B switch and the user’s responsibilities.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6720",
+      "title": "The A/B switch must be physically protected in accordance with the requirements of the highest classification of any IS connected to the A/B switch.",
+      "description": "If the A/B switch is not located in an area that has the same physical security as required by the IS of the highest classification level, this can lead to a compromise of sensitive data.\n The ISSO or SA will ensure the A/B switch is physically protected in accordance with the requirements of the highest classification for any IS connected to the A/B switch.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6757",
+      "title": "An A/B switch must not be used to share a peripheral device between two or more users.",
+      "description": "When using an A/B switch to switch a peripheral between two or more users the risk always exists where the peripheral is connected to the wrong IS. An example would be a scanner shared between two systems using an A/B switch. If the user presses the scan button when the A/B switch is pointed to a different IS than the user intended, the document would be scanned into the wrong system. This could lead to the compromise of sensitive data.\n\nThe ISSO or SA will ensure an A/B switch is not used to share a peripheral device between two or more users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6758",
+      "title": "The A/B switch must be properly marked and labeled.",
+      "description": "Failure to correctly mark switch positions and cable connections can lead to the A/B switch connecting the wrong device to the wrong system for the current intended use. This can lead to a denial of access to a peripheral by an IS or the access of the wrong peripheral by an IS compromising sensitive data.\n\nThe ISSO or SA will ensure the A/B switch, cables, switch positions, and connectors are labeled in accordance with this STIG.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6759",
+      "title": "A/B switches connecting information systems of differing classification levels must be on the NIAP CCEVS Products Lists.",
+      "description": "An A/B switch not found on the approved KVM and A/B switch lists has not been tested to verify that it does not leak data between systems. This can lead to the compromise of sensitive data or the compromise of the ISs attached to the A/B switch.\n\nThe organization will ensure only approved A/B switches are used with ISs of differing classification levels.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6760",
+      "title": "Tamper evident seals must be attached to the A/B switch and all IS cables at their attachment points for A/B switches attached to devices or ISs that have different classification levels.",
+      "description": "Without the presences of tamper evident seals the A/B switch or its connections can be tampered with and the tampering will go undetected. This can lead to the compromise of sensitive data or the compromise of an IS.\n\nWhen an A/B switch is attached to ISs of different classification levels, the ISSO or SA will ensure tamper evident seals are attached to the A/B switch and all IS cables at their attachment points.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6761",
+      "title": "A/B switches must not be cascaded when connected to devices or ISs which are at different classification levels.",
+      "description": "When A/B switches are cascaded it is difficult to verify the currently selected connection is the correct selection. When A/B switches are used with ISs of differing classification levels this can lead to the compromise of sensitive data.\n\nWhen A/B switches are attached to ISs of different classification levels the ISSO or SA will ensure that A/B switches are not cascaded.",
+      "severity": "low"
+    },
+    {
+      "id": "V-6762",
+      "title": "An A/B switch must not be used to switch a peripheral device that has persistent memory or devices that support removable media between two or more ISs of different classification levels.",
+      "description": "If the peripheral device attached to an A/B switch, which is connected to ISs of differing classification levels, can be written to and read from this can lead to the compromise of sensitive or classified data and/or the compromise of the ISs.\n\nThe ISSO or SA will ensure A/B switches are not used to switch a peripheral device that has persistent memory or devices that support removable media between two or more ISs of different classification levels.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6763",
+      "title": "Input or output devices including, but not limited to, scanners, printers, or plotters must not be attached to an A/B switches that spans classification levels.",
+      "description": "Input devices attached to A/B switches that are in turn attached to ISs of different classification levels could input data to the wrong IS compromising sensitive or classified data and/or the IS involved.\n\nOutput from output devices attached to A/B switches that are in turn attached to ISs of different classification levels could be picked up by an individual other than the one the data was intended, leading to a compromise of sensitive or classified data.\n\nThe ISSO will ensure input and output devices including but not limited to scanners, printers, or plotters are not attached to A/B switches that span classification levels.",
+      "severity": "high"
+    }
+  ]
+}