V-258591

Discussion

Best practice is to terminate inactive user sessions after a period; however, when setting timeouts to any VPN connection, the organization must consider the risk to the mission and purpose of the VPN. VPN connections that provide user access to the network are the prime candidates for VPN session termination and the primary focus of this requirement. To determine if and when the VPN connections warrant termination, the organization must perform a risk assessment to identify the use case for the VPN and determine if periodic VPN session termination puts the mission at significant risk. The organization must document the results and the determination of the risk assessment in the VPN section of the SSP. The organization must also configure VPN session terminations in accordance with the risk assessment. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.

Check Content

Verify the user role being used for CAC/PKI token VPN client logins is configured with a session timeout.

In the ICS Web UI, navigate to Administrators >> Users Roles >> User Roles.
1. Click the configured user role being used for CAC/PKI token VPN client logins.
2. Click the "Session Options" tab.

In the "Session Lifetime" section, if Idle Timeout is not set to "10", this is a finding.