Detections
Analytics
6.10.5.4 Ensure REST HTTPS is Set to use Mutual Authentication
Information
The REST HTTPS API should be configured for Mutual AuthenticationRationale:
The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.
When configured to use HTTPS, X.509 Certificates are used to validate the JUNOS Devices identity to API Clients when they connect. Optionally, TLS Mutual Authentication may also be configured, whereby the REST API Client must also provide an X.509 Certificate signed by a mutually trusted Certificate Authority before it is permitted to connect.
Using a mutually trusted Certificate Authority (CA), either an Internal or Public CA, allows for both the Client Device (such as a Network Automation Server) and JUNOS Device to detect when a management session is being intercepted or impersonated by an attacker. Additionally, a centralized CA is able to revoke any Certificate's which may be compromised or have been issued to Clients who are no longer authorized.
A Certificate Authority is a Trusted Third Party which validates X.509 Certificates by signing them, using a secure Hashing algorithm and their own Private Key. A CA may be part of an organization's internal Public Key Infrastructure (PKI) or an Public CA service such as those provided by Verisign, Entrust or Microsoft.
Commonly, for signing Certificates used for internal management and systems, Organizations will configure their own PKI rather than paying for Public CA Services - configuring their End Points to trust Certificates signed by their CA through Group Policy or similar methods.
Either option is equally acceptable for use REST TLS Mutual Authentication, but a ca-profile must be configured on the JUNOS Device (even where the device has preconfigured trust for some Public CAs).
TLS/HTTPS Mutual Authentication does not replace User Authentication, which is still performed via an HTTP Authentication Header using details configured Local or Remote (via RADIUS/TACACS+) User.
Impact:
REST API Management may be lost if the Certificate is not valid or if Automation/Network Management Systems using the REST API are not also configured to support Mutual Authentication using valid Certificates from the same Certificate Authority.
NOTE: REST does not appear to be configured on the target. This check is not applicable.
Solution
To configure REST HTTPS Mutual Authentication, enter the following command from the [edit system services rest] hierarchy:[edit system services rest]
user@host# set https mutual-authentication <CA Profile>
Where <CA Profile> is the name of an existing Certificate Authority Profile configured on the JUNOS Device for a Trusted CA.
To configure a new CA Profile, use the following commands from the [edit security pki] hierarchy:
[edit security pki]
user@host# set ca-profile <CA Profile> ca-identity <CA ID>
It is recommended that a Certificate Revocation List be set for the CA Profile, by including the <CRL URL> using the following command:
[edit security pki]
user@host# set ca-profile <CA Profile> revocation-check crl <CRL URL>
Finally, the CAs' Public Certificate should be obtained an uploaded to the JUNOS Device and linked to the CA Profile:
[edit security pki]
user@host# run request security pki ca-certificate load ca-profile <CA Profile> filename <path and filename>
Default Value:
By default the REST API is disabled.
See Also
Item Details
Audit Name: CIS Juniper OS Benchmark v2.1.0 L2
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2(1), CSCv7|11.5
Plugin: Juniper
Control ID: ea219cc70ecb03a81befbabc7e8688eb221bc7c07901cbb012b0d3dfc0b78be1