From Infrastructure Router Security Technical Implementation Guide Juniper
Part of Management connection does not timeout.
Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example: [edit system login] class superuser-local { idle-timeout 10; permissions all; } Note: There is no default idle-timeout; hence, without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class. When ssh is enabled, all users can use it to access the router---including the root account. This presents two problems: 1) The root account now be accessed using in-band management 2) Since the root account does not belong to a login class, there is no way to set the idle timeout. Access to the root account via ssh must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny;
Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer