UCF STIG Viewer Logo

The network device must only allow SNMP read-only access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3969 NET0894 SV-30087r3_rule ECSC-1 Medium
Description
Enabling write access to the router via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-12801r6_chk )
Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a finding.

The SNMP V1 configuration should look similar to the following:

snmp {
interface ge-0/1/0.0;
community xxxxxxxxx {
authorization read-only;
clients {
default restrict;
7.7.7.5/30;
}
}


SNMPv3 access sets the SNMP access levels by context, group, and user. The context-name statement determines what management information is accessible by an SNMP entity. An SNMP entity can have access to many access contexts and therefore requires a name to identify each context. You must also associate a context with a specific access group and configure read and write views associated with each group. Specify the group-name variable to identify a collection of SNMP users that share the same access policy, in which object identifiers (OIDs) are read-accessible or write-accessible. Each group is the collection of users associated with the security model. You can only specify the model usm.

The example below as a “router context” which is accessed by two groups: NOC and engineers. NOC is only allowed read access while engineers have read and write access. John and Sue are users that belong to the engineers group and have authentication configured.

snmp {
view all {
oid .1.3.6.1 include;
}
engine-id {
local "isp-routers-0001";
}
access {
user john {
authentication-type md5;
authentication-password "john-auth-password";
privacy-type des;
privacy-password "john-privacy-password";
}
user sue {
authentication-type md5;
authentication-password "sue-auth-password";
privacy-type des;
privacy-password "sue-privacy-password";
}
user hpov {
authentication-type md5;
authentication-password "hpov-auth-password";
privacy-type des;
privacy-password "hpov-privacy-password";
}
group engineers {
model usm;
user [john sue];
}
group noc {
model usm;
user hpov;
}

context router {
description “a router context”;
group noc {
model usm;
security-level privacy;
read-view all;
}
group engineers {
model usm;
security-level privacy;
read-view all;
write-view all;
}

}
}
Fix Text (F-3902r7_fix)
Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.