Details

If the XNM-SSL service is configured, connection limits should be set.

Rationale:

JUNOScript can be configured to use SSL transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.

An attacker may attempt to open a large number of sessions to the XNM-SSL service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow a scripting and automation interface to JUNOS. To limit the impact of any such incident, the number of concurrent connections to the XNM-SSL service should explicitly limited.

A relatively low value of 10 is recommended, but may not be appropriate for all environments so it is left to the administrator’s discretion.

Impact:

If the connection limit has been reached, additional JUNOScript sessions will be rejected until an existing session has ended.

Solution

The XNM-SSL Connection Limit can be configured by issuing the following command from the [edit system services xnm-ssl] hierarchy;

[edit system services xnm-ssl]
[email protected]#set connection-limit

Where is the permitted number of concurrent connections required.

Default Value:

The XNM-SSL Service is disabled by default.

When it is first configured the default Connection Limit is 75.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|AC-6(10)
• 800-53|IA-2(1)
• CSCv7|4.7
• CSCv7|11.5

Source

• Tenable.com/audits