6.10.2.5 Ensure Session Limited is Set for Web-Management

Information

Concurrent Web-Management sessions should be limited

Rationale:

JUNOS Devices can be managed through a powerful Web Management GUI called JWeb.

Operating the JWeb, or any other, management service uses resources on the device's Routing Engine (RE). An attacker may attempt to initialize a large number of management sessions concurrently in order to exhaust resources and achieve a Denial of Service (DoS) attack.

To prevent this the maximum number of concurrent JWeb sessions should be set at 5 or less.

Solution

To enable Session limits for JWeb issue the following command from the [edit system services web-management] hierarchy;

[edit system services web-management]
[email protected]#set session-limit 5

Default Value:

Varies by platform. For some Branch and SME focused devices, like the SRX300 or EX2300, JWeb is enabled by default. For most larger Enterprise and SP devices JWeb is disabled by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 077bc4909e553b521be814abeeab8f5fd84183000c5069d74cc7deaa31cfe2ce