Rule ID
SV-283760r1203325_rule
Version
V1R1
CCIs
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions. Nokia routers apply session limits for both inbound and outbound sessions per access method.
Review the Nokia router configuration to determine if concurrent management sessions are limited, as shown in the example below:
SSH example:
Use the command below to get into the correct configuration context:
- exit all
- configure system login-control ssh
- info detail | match inbound-max-sessions
inbound-max-sessions 3
- info detail | match outbound-max-sessions
outbound-max-sessions 3
If "inbound-max-sessions" is not set to "3" or less, this is a finding.
If "outbound-max-sessions" is not set to "3" or less, this is a finding.Configure the Nokia router to limit the number of concurrent management sessions to a maximum of "3" sessions, as shown in the example below: SSH example: - configure system login-control ssh inbound-max-sessions 3 - configure system login-control ssh outbound-max-sessions 3