The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-242640 | CSCO-NM-000350 | SV-242640r714230_rule | High |
| Description |
|---|
| Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval. |
| STIG | Date |
|---|---|
| Cisco ISE NDM Security Technical Implementation Guide | 2022-09-20 |
Details
| Check Text ( C-45915r714228_chk ) |
|---|
| If an SNMP stanza does not exist, this is not a finding. 1. Use the command line interface to view the current SNMP configuration. show startup-config 2. Search for the keyword SNMP. If versions earlier than SNMPv3 are enabled, this is a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding. |
| Fix Text (F-45872r714229_fix) |
|---|
| If SNMP is used by the organization, then SNMP is configured at the command line interface. To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command. no snmp-server group To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode. 1. snmp-server enable 2. snmp-server user 3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash |