6.10.4.2 Ensure NETCONF Connection Limit is Set

Information

If the NETCONF service is configured, the Connection Limit should be set.

Rationale:

NETCONF can be configured to use SSH transport to allow remote access while preventing the exposure of sensitive data and authentication details on the network. If configured, the NETCONF-over-SSH service will provide services on port TCP/830.

An attacker may attempt to open a large number of sessions to the NETCONF-over-SSH service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow an automation interface to JUNOS.

To limit the impact of any such incident, the number of concurrent connections to the NETCONF service should explicitly limited.

A relatively low value of 10 is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.

Impact:

If the connection limit has been reached, additional NETCONF-over-SSH sessions will be rejected until an existing session has ended.

Solution

The NETCONF-over-SSH Connection Limit can be configured by issuing the following command from the [edit system services netconf] hierarchy;

[edit system services netconf]
[email protected]#set ssh connection-limit <limit>

Where <limit> is the desired Connection Limit.

Default Value:

The NETCONF-over-SSH Service is disabled by default. When it is first configured the default Connection Limit is 75.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-2(1), CSCv7|4.7, CSCv7|11.5

Plugin: Juniper

Control ID: 087b0206ab42298818f2204394b3becf76c3d7105751de269980275b9a65e0d0