← Back to Juniper Router NDM Security Technical Implementation Guide

V-217328

CAT I (High)

The Juniper router must be configured to terminate all network connections associated with device management after five minutes of inactivity.

Rule ID

SV-217328r961068_rule

STIG

Juniper Router NDM Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-001133

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Check Content

Review the router configuration to verify that all login classes have the idle-timeout value to five minutes or less as shown in the following example:

system {
    …
    …
    …
    }
    login {
        class ADMIN {
            idle-timeout 5;
            permissions admin-control;
        }
    }

If the router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.

Fix Text

Set the idle timeout value to five minutes or less on all configured login classes as shown in the example below.

[edit system login]
set class ADMIN idle-timeout 5