V-66321

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. This control does not imply that the device terminates all sessions or network access; it only ends the inactive session. Since many of the inactivity timeouts pre-defined by Junos OS are set to 1800 seconds, an explicit custom setting of 900 must be set for each application used by the DoD implementation. Since a timeout cannot be set directly on the predefined applications, the timeout must be set on the any firewall rule that uses a pre-defined application (i.e., an application that begins with junos-), otherwise the default pre-defined timeout will be used.

Check Content

Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less.

First get a list of security policies, then enter the show details command for each policy-name found.

[edit]
show security policies
show security policy <policy-name> details

Example:
Application: any
 IP protocol: 0, ALG: 0, Inactivity timeout: 0

Verify an activity timeout is configured for either "any" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-).

To verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found.

[edit]
Show applications 
show applications application <application-name>

If an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.