6.10.4.1 Ensure NETCONF Rate Limit is Set

Information

If the NETCONF service is configured, the Rate Limit should be set.

Rationale:

NETCONF can be configured to use SSH transport to allow remote access while preventing the exposure of sensitive data and authentication details on the network. If configured, the NETCONF-over-SSH service will provide services on port TCP/830.

An attacker may attempt to open a large number of sessions to the NETCONF-over-SSH service to exhaust the routers resources or an authorized user may do so accidently, especially given that the service is designed to allow an automation interface to JUNOS.

To limit the impact of any such incident, the rate of new connections to the NETCONF service should explicitly limited. Rate Limits are set in terms of the number of new connection attempts per minute. Established connections do not count towards this count. A relatively low value of 60 (the equivalent of one attempt per second, sustained over a minute) is recommended, but may not be appropriate for all environments so it is left to the administrator's discretion.

Impact:

If the Rate Limit is exceeded, new connection attempts will be rejected until the new connection rate drops below the configured limit.

Solution

The NETCONF-over-SSH Rate Limit can be configured by issuing the following command from the [edit system services netconf] hierarchy;

[edit system services netconf]
[email protected]#set ssh rate-limit <limit>

Where is the desired Rate Limit measured in New Connection Attempts per Minute.

Default Value:

The NETCONF-over-SSH Service is disabled by default. When it is first configured the default Rate Limit is 150 connection attempts per second.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-6(10), 800-53|IA-2(1), CSCv7|4.7, CSCv7|11.5

Plugin: Juniper

Control ID: aec05092a7b534a9339194f929f1e27012e016cebac87c537d5d4f5b03c1e64b