Level 2

Description:

This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses


Priority: Medium


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC) 


Category: Baseline Security Configurations 


Services Associated with AWS:

  • AWS Identity and Access Management (IAM)
  • Amazon CognitoAmazon VPC
  • AWS Network Firewall
  • Amazon EC2

Services Associated with Azure: 

  • Azure Firewall
  • Azure Network Security Groups (NSGs)
  • Azure Application Gateway
  • Azure Virtual Machines (VMs)
  • Azure App Service

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings


Possible Technology Considerations :

  • Secure Baseline Configurations (SBC)


What needs to be answered?

Does the system terminate a network connection at the end of a session or after a defined timeframe of inactivity?

Checks for AWS 

  • Session Timeout Check

    Description: This check ensures that network connections associated with communications sessions are terminated at the end of the sessions or after a defined period of inactivity.

  • Network Connection Termination Check

    Description: This check confirms the de-allocation of associated TCP/IP addresses or port pairs at the operating system level, or de-allocation of networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.


Checks for Azure 

  • Session Timeout Check:
    Description: This policy ensures that network connections associated with communication sessions are terminated after a defined period of inactivity. In this case, remote access to cloud-based systems is configured to be terminated after 15 minutes of inactivity. When users or applications remain idle for the specified time limit, the network connection will be automatically terminated, enhancing security by reducing the risk of unauthorized access and potential security breaches due to prolonged idle sessions.
  • Network Connection Termination Check:
    Description: This policy validates the proper de-allocation of associated TCP/IP addresses or port pairs at the operating system level, or de-allocation of networking assignments at the application level. It ensures that when multiple application sessions are using a single operating system-level network connection, the resources are released appropriately after the sessions are terminated. Proper de-allocation of network resources is crucial for efficient resource utilization and to minimize potential security vulnerabilities arising from lingering network connections.


More Details:

Remote access to cloud based systems terminated after 15 minutes of inactivity.