Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2201
Views
0
Helpful
1
Replies

How important is the inactivity-timer?

Go to solution
Leroy Plock
Level 1
Level 1

‎04-06-2020 12:58 PM

Hi. We are having some problems with the arp probe not working to reset the inactivity timer after upgrading some switches to 16.9.4. For some "quiet" devices, the session is dropping as soon as the inactivity timer (idle timeout) expires, it looks like the probe is not working at all.

 

I'm working through this issue with Cisco but it's taking time. Meanwhile the easiest workaround is to disable the inactivity-timer.

 

What do I lose from a security standpoint if I disable the inactivity-timer?

Do I even need the inactivity-timer if all endpoints are directly connected to the NAC-enabled switch, with no intermediate hubs or switches?

 

Thanks for any clues.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎04-06-2020 01:26 PM

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic.  802.1x sessions won't close if the link-state stays up.  So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address.  You can't really guarantee that those devices are not in use and you really cannot detect them.  So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources.  As with all security controls, it is a balance of protection and usability.  Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer.  It is a policy decision that your organization will have to make based on the risk.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎04-06-2020 01:26 PM

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic.  802.1x sessions won't close if the link-state stays up.  So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address.  You can't really guarantee that those devices are not in use and you really cannot detect them.  So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources.  As with all security controls, it is a balance of protection and usability.  Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer.  It is a policy decision that your organization will have to make based on the risk.

0 Helpful
Customers Also Viewed These Support Documents