2.1.6 Set 'service tcp-keepalives-in'

Information

Generate keepalive packets on idle incoming network connections.

Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet.

Solution

Enable TCP keepalives-in service:

hostname(config)#service tcp-keepalives-in

Impact:

To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-in' command.

See Also

https://workbench.cisecurity.org/benchmarks/12917

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Cisco

Control ID: 57ef053bca4398d694e5ab040471f6d9a558121eb1441092a26b597a6c531ce8