6.10.3.3 Ensure XNM-SSL Rate Limit is Set

Information

If the XNM-SSL service is configured, the Rate Limit should be set.

Rationale:

JUNOScript can be configured to use SSL transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.

An attacker may attempt to open a large number of sessions to the XNM-SSL service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow a scripting interface to JUNOS.

To limit the impact of any such incident, the rate at which new connections to the XNM-SSL service should explicitly limited. Rate Limits are set in terms of the number of connection attempts per minute. Established connections do not count towards this count. A relatively low value of 60 (the equivalent of one attempt per second, sustained over a minute) is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.

Impact:

If the Rate Limit is exceeded, new connection attempts will be rejected until the new connection rate drops below the configured limit.

Solution

The XNM-SSL Rate Limit can be configured by issuing the following command from the [edit system services xnm-ssl] hierarchy;

[edit system services xnm-ssl]
user@host#set rate-limit <limit>

Where <limit> is the desired Rate Limit measured in Connection Attempts per Minute.

Default Value:

The XNM-SSL Service is disabled by default. When it is first configured the default Rate Limit is 150 connection attempts per second.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-2(1), CSCv7|4.7, CSCv7|11.5

Plugin: Juniper

Control ID: 536a08687eda3b76568878caec735289a46d4f06a53935f0cafcdc5129679e70