6.10.5.8 Ensure REST Allowed Sources is Set

Information

REST API Clients should be restricted to allowed sources.

Rationale:

The REST API service allows remote scripts or users to connect to a JUNOS Device and execute RPC commands to operate and configure the device, potentially granting full control if connecting using a privileged account.

To protect the REST API from unauthorized use, access should be restricted to specific Network Management Systems using the allowed-sources option to add a whitelist of one or more individual IP Addresses.

Impact:

Hosts which are not included in the Allowed Sources whitelist will no longer be permitted to access the REST API.

Solution

To add an IP Address to the REST API Allowed Sources whitelist, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
user@host# set control allowed-sources <Source IP>

Where <Source IP> is a single host IP Address.
To add multiple addresses to the Allowed Sources whitelist, enter the following command:

[edit system services rest]
user@host# set control allowed-sources [<Source IP 1> <Source IP 2> <Source IP ...> ]

To remove a single address from the current list (for example, if the host is no longer used for Network Management) enter the following command:

[edit system services rest]
user@host# delete control allowed-sources <Source IP>

Default Value:

By default the REST API is disabled.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 654375a3f8c9990710f036712456c7e7bdd1ac24999133ffeeb0f82b64631cd6