Check: JUEX-NM-000010
Juniper EX Series Switches Network Device Management STIG:
JUEX-NM-000010
(in versions v2 r1 through v1 r1)
Title
The Juniper EX switch must be configured to limit the number of concurrent management sessions to 10 or less. (Cat II impact)
Discussion
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial of service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions. Juniper switches apply session limits per access method (e.g., web management, SSH), which means the limit is applicable to local, remote, and root account sessions. Some services, like SSH and NETCONF, also support connection rate-limiting. Connection rate limiting is the number of connections per one minute interval. Unconfigured management access methods are disabled. For instance, if there is no [edit system services ssh] stanza, that service is unavailable and a connection-limit should not be configured because that will enable the service.
Check Content
Review the network device configuration and verify the device limits the number of concurrent management sessions to an organization-defined number for all authorized access methods. SSH example: [edit system services ssh] connection-limit <1..10>; rate-limit <1..4>; Note: The SSH connection- and rate-limit directives affect secure file transfer protocols like SCP and SFTP. NETCONF over SSH example: [edit system services netconf] ssh { connection-limit <1..10>; rate-limit <1..4>; } Note: Rate limiting is the permissible number of connections per one minute interval. If the network device does not limit the number of concurrent management sessions to an organization-defined number, this is a finding.
Fix Text
Limit the number of concurrent management sessions to 10. SSH example: set system services ssh connection-limit 10 set system services ssh rate-limit <1..4> NETCONF over SSH example: set system services netconf ssh connection-limit <1..10> set system services netconf ssh rate-limit <1..4>
Additional Identifiers
Rule ID: SV-253878r960735_rule
Vulnerability ID: V-253878
Group Title: SRG-APP-000001-NDM-000200
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |