6.10.5.5 Ensure REST HTTPS Cipher List is Set

Information

The REST API should only be accessed using HTTPS with secure Cipher Suites.

Rationale:

The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.

When configured to use HTTPS, the device supports a wide range of Cipher Suites which define the Encryption, Hashing and Key Exchange methods and algorithms. By default, in the interests of compatibility, this includes support for a number of older, weaker algorithms such as RC4 Encryption or MD5 Hashing, which are no longer considered suitable for protecting sensitive data or device management.

To ensure that these weaker algorithms and methods are not used, the REST API HTTPS Service should be configured to use only Cipher Suites which do not include RC4 or 3DES for Data Encryption and MD5 or SHA1 for Hashing.

Impact:

REST API Management may be lost if the Network Management System or Hosts do not support the secure Cipher Suites.

Solution

To restrict the Cipher Suites used REST over HTTPS, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
user@host# set https cipher-list [ rsa-with-aes-128-cbc-SHA256 rsa-with-aes-256-cbc-SHA256 dhe-rsa-with-aes-128-cbc-SHA256 dhe-rsa-with-aes-256-cbc-SHA256 rsa-with-aes-128-gcm-SHA256 rsa-with-aes-256-gcm-SHA384 dhe-rsa-with-aes-128-gcm-SHA256 dhe-rsa-with-aes-256-gcm-SHA384 ecdhe-rsa-with-aes-128-cbc-SHA256 ecdhe-rsa-with-aes-256-cbc-SHA384 ecdhe-rsa-with-aes-128-gcm-SHA256 ecdhe-rsa-with-aes-256-gcm-SHA384 ]

No all Cipher Suites are required to meet this recommendation. A shorter list, or individual Cipher Suites, may be configured using the same command.
Some JUNOS Devices do not support all of the above Cipher Suite (most notably, AES in Galois Counter Mode support is not universal), unsupported Cipher Suites can be skipped.

Default Value:

By default the REST API is disabled. When the REST API HTTPS Service is enabled, all Cipher Suites (including those with RC4 and insecure ciphers) are accepted, except for JUNOS FIPS mode, which supports only rsa-with-aes-256-gcm-SHA384, dhe-rsa-with-aes-128-gcm-SHA256, dhe-rsa-with-aes-256-gcm-SHA384, ecdhe-rsa-with-aes-128-gcm and ecdhe-rsa-with-aes-256-gcm.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: c9f86c466fb17dd0e631bfd64c8f272223ffa1e4702fd3feefdbb412054e0764