UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network element must timeout management connections for administrative access after 10 minutes or less of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3014 NET1639 SV-15454r2_rule Medium
Description
Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2017-06-29

Details

Check Text ( C-12919r3_chk )
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example:

[edit system login]
class superuser-local {
idle-timeout 10;
permissions all;
}

Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class.
When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems:

1) The root account now be accessed using in-band management
2) Since the root account does not belong to a login class, there is no way to set the idle timeout.

Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration:

[edit system]
services {
ssh {
root-login deny;
Fix Text (F-3039r5_fix)
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.