2.1.6 Set 'service tcp-keepalives-in'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Generate keepalive packets on idle incoming network connections.

Rationale:

Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet.

Impact:

To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-in' command.

Solution

Enable TCP keepalives-in service:

hostname(config)#service tcp-keepalives-in

Default Value:

Disabled by default.

See Also

https://workbench.cisecurity.org/files/3762