The Juniper SRX Services Gateway must terminate a device management session if the keep-alive count is exceeded.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223232 | JUSX-DM-000157 | SV-223232r961068_rule | CCI-001133 | medium |
| Description | ||||
| Configuring the keep-alive for management protocols mitigates the risk of an open connection being hijacked by an attacker. The keep-alive messages and the interval between each message are used to force the system to disconnect a user that has lost network connectivity to the device. This differs from inactivity timeouts because the device does not wait the 10 minutes to log the user out but, instead, immediately logs the user out if the number of keep-alive messages are exceeded. The interval between messages should also be configured. These values should be set to an organization-defined value based on mission requirements and network performance. | ||||
| STIG | Date | |||
| Juniper SRX Services Gateway NDM Security Technical Implementation Guide | 2024-12-20 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-10
1.00
- DISA · V3R3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.9
1.00
- DISA · V3R3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001133
1.00
- DISA · V3R3 · disa_xccdf · related
Details
Check Text (C-223232r961068_chk)
Verify this setting by entering the following commands in configuration mode.
[edit]
show system services ssh
If the keep-alive count and keep-alive interval is not set to an organization-defined value, this is a finding.
Fix Text (F-24893r513384_fix)
Configure this setting by entering the following commands in configuration mode.
[edit]
set system services ssh client-alive-count-max <organization-defined value>
set system services ssh client-alive-interval <organization-defined value>