← Back to Riverbed NetProfiler Security Technical Implementation Guide

V-256084

CAT I (High)

The Riverbed NetProfiler must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

Rule ID

SV-256084r961068_rule

STIG

Riverbed NetProfiler Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-001133

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Check Content

Go to Configuration >> Appliance Security >> Password Security. 

Under "Inactivity Timeout", verify the "Enable Maximum Inactivity Timeout" box is checked and the timer is set for 10 minutes. 

If the inactivity timeout is not enabled, and/or the timer is not set to 10 minutes, this is a finding.

Fix Text

Go to Configuration >> Appliance Security >> Password Security. 

Under "Inactivity Timeout", check the "Enable Maximum Inactivity Timeout" box and set the timer for 10 minutes.