6.10.2.1 Ensure Web-Management is not Set to HTTP

Information

Network devices should not be managed using unencrypted HTTP sessions

Rationale:

JWeb can be configured to provide a Web GUI over either HTTP or HTTPS.

HTTP transmits all data (including passwords) in clear text over the network and provides no assurance of the identity of the hosts involved.

Because of this HTTP should never be used for sensitive tasks such as managing network devices or entering login credentials and HTTP Web-Management should be disabled.

Impact:

Ensure that management using HTTPS or other secure methods is configured and working before disabling HTTP access. Otherwise you may be unable to connect back to the device for management.

NOTE: The JWeb service does not appear to be configured on the target. This check is not applicable.

Solution

To disable HTTP access issue the following command from the [edit system services web-management] hierarchy:

[edit system services web-management]
user@host#delete http

Default Value:

Varies by platform.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 89ded2426007b65b672c96be03da1597b935204bb2e51ed960f8a3c00c61d1fe