Network Device Management Rules : Ensuring the system terminates network connections
  
Ensuring the system terminates network connections
Rule Title: RiOS must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
STIG ID: RICX-DM-000137
Rule ID: SV-77475r1_rule Severity: CAT II
Vuln ID: V-62985 Class: Unclass
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Verifying the system terminates network connections
Verify that RiOS is configured to terminate a device management session at the end of the session, or after 10 minutes of inactivity.
1. Connect to the Management Console.
2. Choose Administration > Security: Web Settings to display the Web Settings page.
3. Verify that Web Inactivity Timeout (minutes) is set to 10. If Inactivity Timeout or Web Inactivity Timeout (minutes) is not set to 10, this is a security vulnerability finding.
Configuring the system to terminate network connections
Configure RiOS to terminate a device management session at the end of the session, or after 10 minutes of inactivity.
1. Connect to the Management Console.
2. Choose Administration > Security: Web Settings to display the Web Settings page.
3. Specify the Web Inactivity Timeout (minutes) to 10.
4. Click Apply.