6.10.5.9 Ensure REST Connection Limit is Set

Information

If the REST API service is configured, the Connection Limit should be set.

Rationale:

The REST API may be accessed remotely, using either HTTP (though this is not recommended) or HTTPS.

An attacker may attempt to open a large number of sessions to the REST API service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow an automation interface to JUNOS.

To limit the impact of any such incident, the number of concurrent connections to the REST API service should explicitly limited.

A relatively low value of 10 is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.

Impact:

If the connection limit has been reached, additional REST API sessions will be rejected until an existing session has ended.

Solution

To enable a REST API Connection Limit, enter the following command at the [edit system services rest] hierarchy:

[edit system services rest]
user@host# set control connection-limit <limit>

Where <limit> is the desired Connection Limit.

Default Value:

The REST API Service is disabled by default. When enabled, the default Connection Limit for most platforms is 64.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv7|4.7

Plugin: Juniper

Control ID: 76ef343f349b4d01a47e17207989a019cd01acdfb1c0c23fd71132bbf72e4d92