Juniper EX Series Switches STIG Y24M10 Checklist Details (Checklist Revisions)
Supporting Resources:
-
Download Standalone XCCDF 1.1.4 - Juniper EX Series Switches STIG
- Defense Information Systems Agency
Target:
Target | CPE Name |
---|---|
Juniper EX2300 | cpe:/h:juniper:ex2300:- (View CVEs) |
Juniper EX3400 | cpe:/h:juniper:ex3400:- (View CVEs) |
Juniper EX4100 | cpe:/h:juniper:ex4100:- (View CVEs) |
Juniper EX4300 | cpe:/h:juniper:ex4300:- (View CVEs) |
Juniper EX4600 | cpe:/h:juniper:ex4600:- (View CVEs) |
Juniper EX4650 | cpe:/h:juniper:ex4650:- (View CVEs) |
Juniper EX9200 | cpe:/h:juniper:ex9200:- (View CVEs) |
Juniper EX9250 | cpe:/h:juniper:ex9250:- (View CVEs) |
Checklist Highlights
- Checklist Name:
- Juniper EX Series Switches STIG
- Checklist ID:
- 1031
- Version:
- Y24M10
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Governmental Authority: Defense Information Systems Agency
- Original Publication Date:
- 08/10/2022
Checklist Summary:
The Juniper EX Series Switches Security Technical Implementation Guide (STIG) provides security policy and technical configuration requirements for the use of the Juniper EX range of L3 Ethernet switches in the Department of Defense (DoD). The Juniper EX STIG comprises the following individual STIGs: • Juniper EX Network Device Management (NDM) STIG • Juniper EX Layer 2 (L2) Switch STIG • Juniper EX Router STIG The Juniper EX switches use the Junos operating system (OS), which provides a policy framework that is a collection of Junos OS policies that allows a user to control flows of routing information and packets. All platforms share a common design architecture consisting of a Routing Engine (RE) and a Packet Forwarding Engine (PFE). Juniper EX portfolio is a range of L3 Ethernet switches that can be deployed in various ways to build wired Ethernet local area networks. Hardware ranges from small, inexpensive, fixed configuration devices to large chassis-based devices. Interfaces depend on the model but range from 10/100/1000 Mbps and 2.5G/5G/10G copper and 1G through 100G Optical SFP. All devices have a local RJ-45 console port and an out-of-band Ethernet port for out-of-band management and can be managed in-band via a management virtual local area network (VLAN). Management is via the Junos OS Command Line Interface (CLI) and optionally for some devices, a web-based graphical user interface (GUI) or a Juniper management appliance. Remote management is via SSHv2 (i.e., CLI) or monitoring via Simple Network Management Protocol (SNMPv3). Junos will not allow configuration changes via SNMPv3. Although a web UI exists for Junos OS, it does not meet DoD trust requirements; thus, use is not permitted.
Checklist Role:
- Ethernet LAN Switch
Known Issues:
Not provided.
Target Audience:
Parties within the DoD and federal government’s computing environments can obtain the applicable STIG from the DoD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.
Target Operational Environment:
- Managed
- Specialized Security-Limited Functionality (SSLF)
Testing Information:
Not provided.
Regulatory Compliance:
This document is provided under the authority of DoDI 8500.01.
Comments/Warnings/Miscellaneous:
Not provided.
Disclaimer:
DISA accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations. For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner’s responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible AO. Furthermore, DISA implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the DoD. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied at both the device hardening level and the architectural level due to the fact that some settings may not be configurable in environments outside the DoD architecture.
Product Support:
Not provided.
Point of Contact:
Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sponsor:
Not provided.
Licensing:
Not provided.
Change History:
updated URLs - 9/12/2022 Change to NEW - 10/13/22 Updated resource per DISA - 4/27/23 Updated URLs per DISA - 7/25/23 updated URLs - 1/29/24 Resource & SHA update - 08/06/2024 Updated Version - 08/08/2024 Resource and Title Updated - 10/25/2024
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|