Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3014 | NET1639 | SV-15454r2_rule | ECSC-1 | Medium |
Description |
---|
Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Juniper | 2015-07-01 |
Check Text ( C-12919r3_chk ) |
---|
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example: [edit system login] class superuser-local { idle-timeout 10; permissions all; } Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class. When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems: 1) The root account now be accessed using in-band management 2) Since the root account does not belong to a login class, there is no way to set the idle timeout. Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny; |
Fix Text (F-3039r5_fix) |
---|
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes. |