6.10.5.10 Ensure REST Service Address is Set

Information

The REST API Service Address should be set.

Rationale:

The REST API service allows remote scripts or users to connect to a JUNOS Device and execute RPC commands to operate and configure the device, potentially granting full control if connecting using a privileged account.

To protect the REST API from unauthorized use, access should be restricted to specific network management segments.

By default, when enabled, the REST API listens on port TCP/3000 (for HTTP) or TCP/3443 (for HTTPS) on all IP Addresses configured on the JUNOS Device. The addresses option can be configured with one or more IP Addresses to restrict the REST API to listening only on these addresses.

In general, this would be the IP Address used for the devices' Out of Band Management interface (such as fxp0) where possible.

Impact:

Hosts will be unable to connect to the REST API HTTPS Service on any addresses which are not configured.

Solution

To restrict the IP Address/es on which the REST API will listen, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
user@host# set https addresses <Service IP>

Where <Service IP> is a single IP Address configured on one of the JUNOS Device's interfaces.
To add multiple addresses, enter the following command:

[edit system services rest]
user@host# set https addresses [<Service IP 1> <Service IP 2> <Service IP ...> ]

To remove a single address from the current list enter the following command:

[edit system services rest]
user@host# delete https addresses <Service IP>

Default Value:

By default the REST API is disabled. When enabled, the REST API HTTPS Service listens on all configured IP Addresses.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6(10), 800-53|CM-6, CSCv7|4.7, CSCv7|11

Plugin: Juniper

Control ID: a934fb849245f31aa5d46819a4970a6f67329715787f205c1ea1c5a9485bd929