The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3014	NET1639	SV-15454r2_rule		Medium

Description
Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.

STIG	Date
Infrastructure Router Security Technical Implementation Guide Juniper	2018-09-11

Details

Check Text ( C-12919r3_chk )
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example: [edit system login] class superuser-local { idle-timeout 10; permissions all; } Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class. When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems: 1) The root account now be accessed using in-band management 2) Since the root account does not belong to a login class, there is no way to set the idle timeout. Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;

Check Text ( C-12919r3_chk )

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example:

[edit system login]
class superuser-local {
idle-timeout 10;
permissions all;
}

Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class.
When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems:

1) The root account now be accessed using in-band management
2) Since the root account does not belong to a login class, there is no way to set the idle timeout.

Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;

Fix Text (F-3039r5_fix)
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.