6.10.3.2 Ensure XNM-SSL Connection Limit is Set

Information

If the XNM-SSL service is configured, connection limits should be set.

Rationale:

JUNOScript can be configured to use SSL transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.

An attacker may attempt to open a large number of sessions to the XNM-SSL service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow a scripting and automation interface to JUNOS. To limit the impact of any such incident, the number of concurrent connections to the XNM-SSL service should explicitly limited.

A relatively low value of 10 is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.

Impact:

If the connection limit has been reached, additional JUNOScript sessions will be rejected until an existing session has ended.

Solution

The XNM-SSL Connection Limit can be configured by issuing the following command from the [edit system services xnm-ssl] hierarchy;

[edit system services xnm-ssl]
user@host#set connection-limit <limit>

Where <limit> is the permitted number of concurrent connections required.

Default Value:

The XNM-SSL Service is disabled by default.

When it is first configured the default Connection Limit is 75.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-2(1), CSCv7|4.7, CSCv7|11.5

Plugin: Juniper

Control ID: fbbcd0df0e9b263323d1d199b1e247e736df93fb53ddc1ce4034b545b00b3be5