Title

The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions. (Cat II impact)

Discussion

If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.

Check Content

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Fix Text

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication. For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

Additional Identifiers

Rule ID: SV-79613r2_rule

Vulnerability ID: V-65123

Group Title: SRG-APP-000296-NDM-000280

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.