An error occurred:

Cisco ASA NDM STIG Version Comparison

Cisco ASA NDM Security Technical Implementation Guide

Comparison

There are 4 differences between versions v1 r4 (April 27, 2023) (the "left" version) and v1 r6 (Oct. 25, 2023) (the "right" version).

Check CASA-ND-000690 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The Cisco ASA must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 five minutes of inactivity except to fulfill documented and validated mission requirements.

Check Content

Review the Cisco ASA configuration to verify all network connections associated with a device management have an idle timeout value set to 10 five minutes or less as shown in the following example: http server idle-timeout 10 … … … ssh 5 … … … ssh timeout 10 … … … console 5 … … … console timeout 10 If 5 If the Cisco ASA is not configured to terminate all network connections associated with a device management after 10 five minutes of inactivity, this is a finding.

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Fix

Set the idle timeout value to 10 five minutes or less for console, ssh, and http (if ASDM is used) access. SW1(config)# ssh timeout 10 SW1(config)# 5 SW1(config)# console timeout 10 ASA(config)# 5 ASA(config)# http server idle-timeout 10 SW1(config)# 5 SW1(config)# end