Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-207254 | SRG-NET-000518-VPN-002280 | SV-207254r608988_rule | Medium |
Description |
---|
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway. |
STIG | Date |
---|---|
Virtual Private Network (VPN) Security Requirements Guide | 2021-09-27 |
Check Text ( C-7514r378383_chk ) |
---|
Verify the VPN Client logout function is configured to terminate the session on/with the VPN Gateway. If the VPN Client logout function does not terminate the session on/with the VPN Gateway, this is a finding. |
Fix Text (F-7514r378384_fix) |
---|
Configure the VPN Client logout log out function must be configured to terminate the session on/with the VPN Gateway. |