6.10.2.3 Ensure Web-Management is Set to use PKI Certificate for HTTPS

Information

JWeb should only be accessed using HTTPS with a PKI Certificate

Rationale:

JWeb can be configured to provide a Web GUI over either HTTP or HTTPS.

When configured to use HTTPS X.509 Certificates are used to:

Share Public Encryption Keys

Provide Identity Information

Validate the Web Server's Identity

Enforce Encryption Key Rollover by limiting their validity period

JWeb can be configured to use Self Signed 'System-Generated' X.509 Certificates, where the JUNOS device makes an identity claim, such as 'I am myrouter.myorg.com', without any external validation. When an administrator connects to JWeb their browser will generate a Security Error due to this lack of validation, which the user will need to accept in order to proceed to the interface.

Without validation from a trusted Certificate Authority (CA), either an Internal or Public CA, administrators may be unable to detect when a management session is being intercepted or impersonated by an attacker. Additionally, a Self Signed certificate cannot be centrally revoked should a compromise be detected, relying instead on each user manually removing trust for the compromised Certificate.

A Certificate Authority is a Trusted Third Party which validates X.509 Certificates by signing them, using a secure Hashing algorithm and their own Private Key. A CA may be part of an organization's internal Public Key Infrastructure (PKI) or an Public CA service such as those provided by Verisign, Entrust or Microsoft.

Commonly, for signing Certificates used for internal management and systems, Organizations will configure their own PKI rather than paying for Public CA Services - configuring their End Points to trust Certificates signed by their CA through Group Policy or similar methods.

Either option is equally acceptable for use with JWeb, but Self Signed Certificates should not be used.

In addition, JUNOS offers two options for the storage and management of Certificates and their associated Private Keys:

in the configuration under the [edit security certificates] hierarchy

in a protected PKI store in memory

While the keys are hashed when stored in the configuration file, they are still exposed through backups and management access to the device. Storing Certificates and Keys in the device's PKI store means that the Private Keys are never accessible and that additional protections to this restricted area of memory can be used.

Due to these limitations PKI Certificates from a trusted Certificate Authority should always be used for JWeb Management and should always be stored in the device's PKI store rather than local configuration.

Impact:

Ensure an alternative method to manage the JUNOS device is configured and working prior to changing the Certificate used for HTTPS to ensure continued access in the event of any errors.

Solution

To configure Web-Management with a PKI Certificate issue the following command from the [edit system service web-management] hierarchy:

[edit system services web-management]
[email protected]# set https pki-local-certificate <Certificate ID>

Where <Certificate ID> is the name of a Certificate which has already been loaded to the devices PKI Store.
To create a new Public/Private Key Pair in the devices PKI Store and generate Certificate Signing Request issue the following commands from Operational Mode:

[email protected]> request security pki generate-key-pair certificate-id <Certificate ID> type <Algorithm> size <Size>

[email protected]> request security pki generate-certificate-request certificate-id <Certificate ID> domain-name <Device DNS Name> subject <Device Subject DN>

Where:

<Certificate ID> is the Name that will be used for this Certificate throughout configuration

<Algorithm> is the Encryption Algorithm to be used (this should be either RSA or ECC)

<Size> is the number of Bits used for the keys (use at least 2048bits for RSA or 256bits for ECC)

<Device DNS Name> is the FQDN which will be used to manage the device and
-<Device Subject DN> is the Distinguished Name used to identify this device and certificate.

Optionally, fields for email address, the device's IP Address and and output Filename for the PKCS#10 CSR which will be generated can be included.
The CSR should then be submitted to the Certificate Authority for review and signing.
Once the CA returns the Certificate it can be uploaded to the JUNOS device and imported with the following command from Operational Mode:

[email protected]> request security pki local-certificate load certificate-id <Certificate ID> filename <File Upload Location>

Default Value:

Varies by platform. For some Branch and SME focused devices, like the SRX300 or EX2300, JWeb is enabled by default. For most larger Enterprise and SP devices JWeb is disabled by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 6c37f7ca2773e3dd7556cb11945cdfb7df7b4b56ad636a80e49bbbf7191f98b6