6.10.2.6 Ensure Web-Management Interface Restriction is Set

Information

JWeb access should be restricted to trusted networks

Rationale:

By default, when configured, the JWeb service will listen for incoming connections on all interfaces which have an IP Address configured, exposing JWeb to users on all networks through which the device is reachable.

Because control of Network Systems can have a serious impact on the security of your environment, the JUNOS device should only be manageable over some of its interfaces; in particular a JUNOS device providing connectivity to untrusted networks such as the Internet should only be manageable from trusted sources.

This can be accomplished by limiting the interfaces on which the JWeb HTTPS service operates and this restriction should be applied on all JUNOS devices. Firewall Filters or Security Policy (SRX) should also be used to further restrict management to authorized sources (see Recommendations in Section 2 - Firewall for further details).

Impact:

Ensure that JWeb Management is operational and reachable using the selected interfaces before applying interface restrictions in a production environment.

Solution

To apply JWEB Interface restrictions issue the following commands from the [edit system services web-management https] hierarchy:
To set a single Interface:

[edit system services web-management https]
user@host#set interface <interface>

Or to set multiple Interfaces:

[edit system services web-management https]
user@host#set interface [ <interface 1> <interface 2> <interface n> ]

Default Value:

Varies by platform. For some Branch and SME focused devices, like the SRX300 or EX2300, JWeb is enabled by default. For most larger Enterprise and SP devices JWeb is disabled by default.

When configured, by default JWeb listens on all interfaces for Web Management sessions.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: d9b0f8f18fe93bed42f57cef62267036659a4ee493229bd3e09f16c3ae933cab