AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-266993 | SRG-NET-000053-VPN-000170 | ARBA-VN-000170 | SV-266993r1040745_rule | 2024-10-29 | 1 |
| Description |
|---|
| VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. |
| ℹ️ Check |
|---|
| Verify the AOS configuration with the following command: show running-config | begin "user-role <vpn user role>" If the vpn user role is not configured to max-sessions 1 (or an organization-defined number), this is a finding. |
| ✔️ Fix |
|---|
| Configure AOS with the following commands: configure terminal user-role <vpn user role> max-sessions 1 exit write memory |