Title

Serial management/maintenance ports are not configured to “force out” or drop any interrupted user session. (Cat III impact)

Discussion

Requirement: The IAO will ensure that serial management ports immediately drop any connection that is interrupted for any reason. Reasons include modem power failure, link disconnection, loss of carrier, etc. Serial ports that are interrupted due to link disconnection, power failure or other reasons will force out the user (i.e., end the session using the port). This will prevent a remote user from ending a session without logging off and leaving the remote maintenance port available with an active session that might allow unauthorized use by someone other than the authenticated user. This will also prevent the physical hijacking of an active session by unplugging the connected cable and plugging in another. NOTE: This requirement primarily addresses the use of EIA/RS-232 serial interfaces (serial craft or console ports) in conjunction with a modem. It requires the enablement of the hardware handshaking capabilities that are typically inherent in the interface and the associated Universal Asynchronous Receiver/Transmitter (UART). The hardware handshaking capabilities can easily detect modem power failure, link disconnection, and loss of carrier. The software response to these hardware indicators is to terminate any active session such that re-authentication is required if the session is re-established. This capability also supports the prevention of physically hijacking the connection or session by unplugging the modem and plugging in a local workstation or other communications device. However, such physical hijacking is substantially mitigated by limiting physical access to the port connection to authorized personnel via physical access security methods. Unfortunately, some EIA/RS-232 port implementations in some vendor’s products do not include the physical handshaking lead connections needed to fulfill this requirement. In some cases only the three minimally required data leads (TX, RX, and GND) are implemented. In this case, Xon-Xoff flow control is used to synchronize communications as opposed to the hardware handshaking. Additional measures must be implemented in hardware or software to detect session interruption and effect its termination. This may require special serial communications software or middleware that implements a keep-alive signal. When the keep-alive signal is lost, the session is terminated. Other methods may be employed as well.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable

Fix Text

> Configure the DSN component to force out users when the session is interrupted.

Additional Identifiers

Rule ID: SV-8485r1_rule

Vulnerability ID: V-7999

Group Title: Serial Mgmt. Ports do not drop interrupted session

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.