Match the network access protection (nap) component on the left with its description on the right.

How

For applications with security and/or privacy concerns, automatically log out users after a certain period of inactivity (i.e., session timeout). Typical session timeouts are 15- to 45-minute durations depending on the sensitivity of the data that may be exposed. As the session timeout is approaching, offer users a warning and give them an opportunity to stay logged in. Confirmation is especially useful in instances where user tasks are likely to take some time (e.g., in cases of multistep tasks like checkout) and likely data loss could be frustrating to users (Figure 3.32).

When session timeout occurs, the following are quite common:

Users are taken to the Login page with a message that the session timed out (or suspended) and that they must log in to start a new session. This approach is useful when the data available on the screen are sensitive.

Users are kept on the same page with a pop-up that indicates that the session was suspended and whether or not their data were saved (say, for example, in a “draft” status). This approach is not recommended when data available on the screen (behind the pop-up) are personal and/or sensitive.

For some applications, sessions can end if the browser window used to access the application is closed.

ALLOW USERS TO SET DURATION OF SESSION TIMEOUTS

Users may want some web applications to have longer or shorter session timeout duration than the one defaulted by the application. This is common for applications that users may to use all day, such as email, office productivity applications (e.g., word processing, spreadsheets), and status-monitoring applications (e.g., investment tracking). If timeouts are set for such applications, offer users an option to change the duration (Figure 3.33).

Figure 3.33. Rally Community Edition allows users to set their session timeout duration for up to four hours. The default timeout is set to one hour.

Remote Desktop Gateway

The Remote Desktop Gateway feature includes several new enhancements over the previous Terminal Services Gateway. The new Remote Desktop Gateway includes the following new features:

Gateway level idle and session timeouts

Logon and system messages

Pluggable authentication

Network Access Protection (NAP) remediation

Session Management

1.

Verify that the framework’s default session management control implementation is used by the application.

Verify that sessions are invalidated when the user logs out.

Verify that sessions timeout after a specified period of inactivity.

Verify that sessions timeout after an administratively configurable maximum time period regardless of activity (an absolute timeout).

Verify that all pages that require authentication to access them have working logout links.

Verify that the session id is never disclosed other than in cookie values, particularly in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies when possible.

Verify that the session id is changed on login.

Verify that the session id is changed on reauthentication.

Verify that the session id is changed or expired on logout.

Verify that only session ids generated by the application framework are recognized as valid by the application.

Verify that authenticated session tokens are sufficiently long and random to withstand attacks that are typical of the threats in the deployed environment.

Verify that cookies which contain authenticated session tokens/ids have their domain and path set to an appropriately restrictive value for that site.

Verify that all code implementing or using session management controls are not affected by any malicious code.

ESAPI also has two appropriate interfaces that deal with authentication and session management to further provide protection against these attacks. One is the Authenticator API that includes methods for generating and handling session identifiers and account credentials. The other API is User that securely manages all the variables associated with the state of a user account.

Threats

Hijacking occurs when an intruder takes control of a session between a server and the client. The communication starts when a middle-man attack adds a request to the client, resulting in the client getting kicked off the session. Meanwhile, the rogue workstation talks with the server, and the attacker intercepts the source-side packets, replacing them with fresh packets that are sent to the destination. This type of hijacking, referred to as TCP/IP hijacking, most commonly occurs during telnet and Web sessions when security is nonexistent or lacking, and when session timeouts are improperly configured.

During the course of a Web session, cookies are commonly used to authenticate and track users. While the authentic session is in session, an attacker may attempt to hijack a session by loading a modified cookie in the session page. Session hijacking may also ensue when a session timeout is set to be an extended period of time; this gives an attacker a chance to hijack a session. Telnet-type plaintext connections create the ideal situation for TCP hijacking. In an instance such as this, when an attacker surveys the data passing in the TCP session, he can take control of the user's session; this is yet another reason why it is called session hijacking. When a user is forced to authenticate before allowing transactions to occur, it prevents hijacking attacks. Protection mechanisms include the use of unique sequence numbers and Web session cookies. The more unique the cookies are, the harder it is to crack and hijack. Additional preventative measures for this type of attack include the use of encrypted session keys and Secure Socket Layer encryption.

Locking Users Out: Requirements 8.5.13–8.5.15

The first two requirements help to protect accounts against brute force attacks as well as the nefarious individual from abusing an abandoned, logged-in terminal. Requirement 8.5.13 mandates that systems automatically lock an account after six failed login attempts, and Requirement 8.5.14 mandates that systems maintain that locked status for at least 30 min for an automated system or until an administrator resets it for a manual system. To test this, an assessor may ask a user to perform six failed login attempts to make sure that the account locks, or they may just examine the system’s settings to make sure it is set up properly.

Requirement 8.5.15 mandates that idle sessions time out after 15 min of inactivity. This requirement led to a myriad of interpretations, some of which actually broke a business function. For example, Matt manually runs some processes on a mainframe that takes just over 1 h to complete. When he types in the command, the session essentially freezes while the task runs but becomes interactive again when the job completes. Some Qualified Security Assessors (QSAs) interpreted this to mean that after 15 min of starting the job, the session should time out (forcing the process to terminate abnormally). This requirement should not be applied to every possible way a session could be started but instead should be smartly applied to the environment as a whole. If all mainframe sessions must be initiated from a Windows-based workstation, then make sure the workstation meets the session timeout requirements since the mainframe session runs inside the Windows one. This may not work in every case, but take the concept and find the best way to implement it in your environment.

Network Access Quarantine Control

Internet Authentication Service (IAS), combined with Remote Authentication Dial-In User Service (RADIUS) protocol and RRAS, provide a new function called Network Access Quarantine Control (NAQC). The primary function of NAQC is not to provide additional security, but to help protect your network from improperly configured clients that access your network using Virtual Private Networking (VPN). A perfect example of using NAQC would be ensuring that a client has the correct version of virus scan software, with the latest virus definitions, and also enable the software if it is currently disabled, all before allowing the client to access any other network resources.

The basic components involve all the services previously listed—RRAS, with MS Quarantine IPFilter and remote access policies such as MS Quarantine Session Timeout, and RADIUS with IAS. The client components to NAQC are a Connection Manager (CM) profile, which can be distributed with a CM policy from the RRAS servers, and a script using the client component RQC.exe. The remaining server components consist of the resources necessary to provide name resolution, script and file access, and the service component RQS.exe, which is installed on the RRAS server.

Generally, NAQC would function basically by a client using a CM profile that has the quarantine policy to connect to a RRAS server with quarantine capabilities and configured with the MS Quarantine IPFilter and MS Quarantine Session Timeout policies. The RRAS server forwards the RADIUS access request to the IAS server that will validate the user credentials and match the quarantine policy. The IAS server will provide a quarantine restricted access acceptance via RADIUS that will allow the client limited access to network resources such as obtaining an IP address, DNS access for name resolution, and the attributes that are part of the quarantine policies. Once the client has an IP address and policies, the client is restricted to accessing resources that match the quarantine filters, and only for the time allotted in the MS Quarantine Session Timeout policy.

The script is executed on the client by the CM profile, and is used to verify that the client configuration meets the requirements of the network policies. Once the verification is complete, the script executes rqc.exe with the necessary command line settings, which will send an unencrypted, unauthenticated notification to the RRAS server rqs.exe service. The rqs traffic is allowed to pass through the RRAS filters, since it is defined in the RRAS IPFilter settings with the MS Quarantine IPFilter attributes. Rqs then verifies the information and parameters passed from rqc, one of which is the script version passed in the rqc command line. If the client meets the requirements, then RRAS will get a notification from rqs that the client is valid, and subsequently RRAS will lift the MS Quarantine IPFilter and MS Quarantine Session Timeout policy restrictions and allow the client normal access to the LAN. Once this process is complete, the rqc component will write a message to the System event log.

Unfortunately, due to the fact that NAQC requires RRAS and the post connect script in the CM profile, it cannot be used on the LAN for regular clients. You can, however, implement similar functionality in logon scripts and domain policies since the LAN clients are very likely to be using domain accounts to access the network.

Threats

Hijacking occurs when an intruder takes control of a session between a server and the client. The communication starts when a middle-man attack adds a request to the client, resulting in the client getting kicked off the session. Meanwhile, the rogue workstation talks with the server, and the attacker intercepts the source-side packets, replacing them with fresh packets that are sent over to the destination. This type of hijacking, referred to as TCP/IP hijacking, most commonly occurs during telnet and Web sessions when security is nonexistent, or lacking, and also when session timeouts are improperly configured.

During the course of a Web session, cookies are commonly used to authenticate and track users. While the authentic session is in session, an attacker may attempt to hijack a session by loading a modified cookie in the session page. Session hijacking may also ensue when a session timeout is set to be an extended period of time; this gives an attacker a chance to hijack a session. Telnet-type plaintext connections create the ideal situation for TCP hijacking. In an instance like this, when an attacker surveys the data passing in the TCP session, the attacker can take control of the user’s session; this is yet another reason why it is called session hijacking. When a user is forced to authenticate prior to allowing transactions to occur, it helps to prevent hijacking attacks. Protection mechanisms include the use of unique sequence numbers (USNs) and Web session cookies. The more unique the cookies, the harder it is to crack and hijack. Additional preventative measures for this type of attack include the use of encrypted session keys and Secure Socket Layer (SSL) encryption.

Controlling Session Timeouts

SSH offers several mechanisms to control how and when sessions will time out. This flexibility is useful to allow administrators control over the SSH server resources. Each session consumes memory, processor time, and bandwidth on the SSH server. Idle sessions need some form of timeout so that the resources can be recovered and security can be increased. If you allow an unauthenticated session to wait indefinitely, you are setting yourself up to be the victim of a denial-of-service attack. Another reason to have effective timeouts is that if you walk away from your desk without logging out of your session, someone could come in behind you and take over the session from your session. They could then, using your rights and permissions, cause damage to the system or steal files. Thus, controlling the session timeouts and keeping them short will prevent this type of situation.

Fortunately sshd provides some options for controlling various session timeout values. The first timer starts before the user has even logged in; this is the login grace time. This is configured in the sshd_confg file with the keyword LoginGraceTime. This determines how long the user has to complete authentication before the session is disconnected. The default timer is 120 seconds. A value of zero will disable the timer completely. Setting this to zero is not recommended for the reasons mentioned above.

The next three keywords – ClientAliveCountMax, ClientAliveInterval, and TCPKeepAlive – all deal with the active SSH session. TCPKeepAlive is the most basic counter with only “yes” or “no” as acceptable values. The default is “yes,” which tells sshd that if the TCP keepalive messages cannot reach their destination, the session will be terminated. These keep alive messages are standard TCP packets that are not sent over the encrypted tunnel. This could be an important distinction as these keepalive packets can be spoofed, sniffed, and so on. The value of this type of keepalives it to close a session for which the communication path has been lost due to, for example, a down circuit or a bad route.

The ClientAliveCountMax and ClientAliveInterval values work together in much the same way as the TCP keep alive messages, except these are sent over the encrypted tunnel. The ClientAliveInterval is the time in seconds in which there has been no client activity before a message is sent to the client. The ClientAliveCountMax value determines how many of these messages can be unanswered before the session is terminated. As an example, let us suppose the client alive interval is 10 seconds. After 10 seconds of inactivity, a keepalive message will be sent over the encrypted tunnel to the client. If the client does not respond, another one will be sent after 10 more seconds, and a third 10 seconds after that. If the client alive count max is set to the default of 3, the SSH client would be disconnected after the third keepalive was sent.

Using either type of keepalive message may be required. Often an inactive session will timeout on the session table of a firewall between the SSH server and SSH client. This is sometimes the cause for sessions that seem to drop when left idle. By setting one or both of the keepalive options, you can prevent this behavior and help ensure that sessions close only when you want them to.