← Back to HPE Aruba Networking AOS VPN Security Technical Implementation Guide

V-266993

CAT II (Medium)

AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.

Rule ID

SV-266993r1040745_rule

STIG

HPE Aruba Networking AOS VPN Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000054

Discussion

VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.

Check Content

Verify the AOS configuration with the following command:
show running-config | begin "user-role <vpn user role>"

If the vpn user role is not configured to max-sessions 1 (or an organization-defined number), this is a finding.

Fix Text

Configure AOS with the following commands:
configure terminal
user-role <vpn user role>
max-sessions 1
exit
write memory