← Back to IBM DataPower Network Device Management Security Technical Implementation Guide

V-65123

CAT II (Medium)

The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.

Rule ID

SV-79613r2_rule

STIG

IBM DataPower Network Device Management Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002363

Discussion

If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.

Check Content

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. 

Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix Text

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.

For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.