The VPN Client logout function must be configured to terminate the session on/with the VPN Gateway.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207254	SRG-NET-000518-VPN-002280	SV-207254r608988_rule		Medium

Description
If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.

Description

If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. However, for some types of interactive sessions including, for example, remote login, information systems typically send logout messages as final messages prior to terminating sessions. This applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.

STIG	Date
Virtual Private Network (VPN) Security Requirements Guide	2021-09-27

Details

Check Text ( C-7514r378383_chk )
Verify the VPN Client logout function is configured to terminate the session on/with the VPN Gateway. If the VPN Client logout function does not terminate the session on/with the VPN Gateway, this is a finding.

Fix Text (F-7514r378384_fix)
Configure the VPN Client logout log out function must be configured to terminate the session on/with the VPN Gateway.