2.1.7 Set 'service tcp-keepalives-out'

Information

Generate keepalive packets on idle outgoing network connections.

Rationale:

Stale connections use resources and could potentially be hijacked to gain illegitimate access. The TCP keepalives-in service generates keepalive packets on idle incoming network connections (initiated by remote host). This service allows the device to detect when the remote host fails and drop the session. If enabled, keepalives are sent once per minute on idle connections. The closes connection is closed within five minutes if no keepalives are received or immediately if the host replies with a reset packet.

Impact:

To reduce the risk of unauthorized access, organizations should implement a security policy restricting how long to allow terminated sessions and enforce this policy through the use of 'tcp-keepalives-out' command.

Solution

Enable TCP keepalives-out service:

hostname(config)#service tcp-keepalives-out

Default Value:

Disabled by default.

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, CSCv7|5.1

Plugin: Cisco

Control ID: 69309b0863606b30879d931d6fe77893bfbd8c3bf824b246406c7478ebb21383