JUEX-NM-000500 - The Juniper EX switch must be configured to prohibit the use of cached authenticators after an organization-defined time period.

Information

Some authentication implementations can be configured to use cached authenticators.

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Solution

Configure the network device or its associated authentication server to prohibit the use of cached authenticators after an organization-defined time period.

set system login idle-timeout 10

set system services ssh protocol-version v2
set system services ssh client-alive-count-max (0..255)
set system services ssh client-alive-interval (0..65535 seconds)
set system services ssh rekey data-limit (51200..4294967295 bytes)
set system services ssh rekey time-limit (1..1440 minutes)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13), CAT|II, CCI|CCI-002007, Rule-ID|SV-253927r961521_rule, STIG-ID|JUEX-NM-000500, Vuln-ID|V-253927

Plugin: Juniper

Control ID: 9ece70d5bbbb8b6f40d41fb6c49008f905cb5ef4fcd0b2c0959c575871ee5271