UCF STIG Viewer Logo

The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3014 NET1639 SV-15454r2_rule Medium
Description
Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-12919r3_chk )
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example:

[edit system login]
class superuser-local {
idle-timeout 10;
permissions all;
}

Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class.
When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems:

1) The root account now be accessed using in-band management
2) Since the root account does not belong to a login class, there is no way to set the idle timeout.

Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;
Fix Text (F-3039r5_fix)
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.