Detections
Analytics

6.10.2.7 Ensure Web-Management Interface Restriction is set to OOB Management

Information

JWeb access should be restricted to trusted networks

Rationale:

By default, when configured, the JWeb service will listen for incoming connections on all interfaces which have an IP Address configured, exposing JWeb to users on all networks through which the device is reachable.

Because control of Network Systems can have a serious impact on the security of your environment, the JUNOS device should only be manageable using Out Of Band (OOB) Management networks reached through the devices' dedicated Management Interface (called FXP0.0 on most platforms).

This can be accomplished by limiting the interfaces on which the JWeb HTTPS service operates to only include the devices' OOB Interface. Firewall Filters or Security Policy (SRX) should also be used to further restrict management to authorized sources (see Recommendations in Section 2 - Firewall for further details).

Some JUNOS devices do not have dedicated OOB Management ports. In some cases a 'revenue port' can be configured to act as a Management port, such as by defining a 'management' functional zone with a Branch/SME SRX Firewall. This type of restricted OOB Management Port is accepted as meeting this recommendation, but is not tested for under the audit procedure as a variety of ports might be used.

Impact:

Ensure that JWeb Management is operational and reachable using the selected interfaces before applying interface restrictions in a production environment.

NOTE: The JWeb service does not appear to be configured on the target. This check is not applicable.

Solution

To apply JWEB Interface restrictions issue the following commands from the [edit system services web-management https] hierarchy:
To set a single Interface:

[edit system services web-management https]
user@host#set interface <interface>

Or to set multiple Interfaces:

[edit system services web-management https]
user@host#set interface [ <interface 1> <interface 2> <interface n> ]

Interfaces should only be fxp0.0, em0.0, me0.0 or jmgmt0.0 (dependent on platform) dedicated Out Of Band Management ports.

Default Value:

Varies by platform. For some Branch and SME focused devices, like the SRX300 or EX2300, JWeb is enabled by default. For most larger Enterprise and SP devices JWeb is disabled by default.

When configured, by default JWeb listens on all interfaces for Web Management sessions.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: cb6dac5694bee799c94b7775edffc5c6098aaa6457b5d9e87a110bec1b7768bc