6.10.5.1 Ensure REST is Not Set to HTTP

Information

Network devices should not be managed using unencrypted HTTP sessions

Rationale:

The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.

HTTP transmits all data (including passwords) in clear text over the network and provides no assurance of the identity of the hosts involved.

Because of this HTTP should never be used for sensitive tasks such as managing network devices or entering login credentials; so REST HTTP should always be disabled.

Impact:

Management of the device through REST HTTP will be lost - ensure that other management options are configured and working before disabling this service on production systems.

NOTE: REST does not appear to be configured on the target. This check is not applicable.

Solution

To disable REST HTTP, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
[email protected]# delete http

Default Value:

By default the REST API is disabled.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: c99f7fb5bcf84cba81514fd9b4b92384803d1ba9bbcd2bf7ffeb1486989c6eb6