All mobile device VPN clients must timeout after a set period of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32696 | WIR-MOS-iOS-034-05 | SV-43042r1_rule | ECWN-1 | Medium |
| Description |
|---|
| DoD data and the DoD network could be compromised if transmitted data is not secured with a compliant VPN. A VPN provides an open connection to the DoD network. If the VPN client does not timeout after the required period of inactivity, and a hacker is able to bypass the device password controls, they would have access to the DoD network. |
| STIG | Date |
|---|---|
| Apple iOS 6 Interim Security Configuration Guide (ISCG) | 2013-01-17 |
Details
| Check Text ( C-41058r4_chk ) |
|---|
| This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Note: Use of a VPN to access DoD email on a mobile device is not required. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify the VPN client is configured to timeout an inactive session after a set period of inactivity. The check procedures will vary depending on the VPN client used. Mark as a finding if the VPN client is not configured to timeout after 4 hours. |
| Fix Text (F-36594r3_fix) |
|---|
| Configure the VPN client to timeout a session after 4 hours of inactivity. |