U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Juniper EX Series Switches STIG Y24M01 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Juniper EX2300 cpe:/h:juniper:ex2300:- (View CVEs)
Juniper EX3400 cpe:/h:juniper:ex3400:- (View CVEs)
Juniper EX4100 cpe:/h:juniper:ex4100:- (View CVEs)
Juniper EX4300 cpe:/h:juniper:ex4300:- (View CVEs)
Juniper EX4600 cpe:/h:juniper:ex4600:- (View CVEs)
Juniper EX4650 cpe:/h:juniper:ex4650:- (View CVEs)
Juniper EX9200 cpe:/h:juniper:ex9200:- (View CVEs)
Juniper EX9250 cpe:/h:juniper:ex9250:- (View CVEs)

Checklist Highlights

Checklist Name:
Juniper EX Series Switches STIG
Checklist ID:
1031
Version:
Y24M01
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
08/10/2022

Checklist Summary:

The Juniper EX Series Switches Security Technical Implementation Guide (STIG) provides security policy and technical configuration requirements for the use of the Juniper EX range of L3 Ethernet switches in the Department of Defense (DoD). The Juniper EX STIG comprises the following individual STIGs: • Juniper EX Network Device Management (NDM) STIG • Juniper EX Layer 2 (L2) Switch STIG • Juniper EX Router STIG The Juniper EX switches use the Junos operating system (OS), which provides a policy framework that is a collection of Junos OS policies that allows a user to control flows of routing information and packets. All platforms share a common design architecture consisting of a Routing Engine (RE) and a Packet Forwarding Engine (PFE). Juniper EX portfolio is a range of L3 Ethernet switches that can be deployed in various ways to build wired Ethernet local area networks. Hardware ranges from small, inexpensive, fixed configuration devices to large chassis-based devices. Interfaces depend on the model but range from 10/100/1000 Mbps and 2.5G/5G/10G copper and 1G through 100G Optical SFP. All devices have a local RJ-45 console port and an out-of-band Ethernet port for out-of-band management and can be managed in-band via a management virtual local area network (VLAN). Management is via the Junos OS Command Line Interface (CLI) and optionally for some devices, a web-based graphical user interface (GUI) or a Juniper management appliance. Remote management is via SSHv2 (i.e., CLI) or monitoring via Simple Network Management Protocol (SNMPv3). Junos will not allow configuration changes via SNMPv3. Although a web UI exists for Junos OS, it does not meet DoD trust requirements; thus, use is not permitted.

Checklist Role:

  • Ethernet LAN Switch

Known Issues:

Not provided.

Target Audience:

Parties within the DoD and federal government’s computing environments can obtain the applicable STIG from the DoD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

This document is provided under the authority of DoDI 8500.01.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

DISA accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configuration settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations. For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system’s particular circumstances and requirements is the system owner’s responsibility. The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible AO. Furthermore, DISA implies no warranty that the application of all specified configurations will make a system 100 percent secure. Security guidance is provided for the DoD. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied at both the device hardening level and the architectural level due to the fact that some settings may not be configurable in environments outside the DoD architecture.

Product Support:

Not provided.

Point of Contact:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

updated URLs - 9/12/2022
Change to NEW - 10/13/22
Updated resource per DISA - 4/27/23
Updated URLs per DISA - 7/25/23
updated URLs - 1/29/24

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 01/29/2024