From A10 Networks ADC NDM Security Technical Implementation Guide
Part of SRG-APP-000412-NDM-000331
Associated with: CCI-003123
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network. SNMP Versions 1 and 2 cannot authenticate the source of a message nor can they provide encryption. Without authentication, it is possible for unauthorized users to exercise SNMP network management functions. It is also possible for unauthorized users to eavesdrop on management information as it passes from managed systems to the management system.
Review the device configuration. The following command shows the running configuration and filters the output on the string "snmp-server": show run | inc snmp-server If the output shows servers using SNMPv1 or SNMPv2, this is a finding.
The following commands enable SNMP and SNMP traps: snmp-server enable snmp-server enable traps Note: This will enable sending all traps. The following command sets Unique engineID: snmp-server engineID [hex-string] The commands below define SNMP OIDs to include when discovering the device via an SNMPv3 manager. The following command defines the group view: snmp-server view [view-name] 1.3.6 included The following command defines SNMPv3 user-based groups: snmp-server user [username] group [groupname] v3 [auth [md5 | sha] password [encrypted]]: Note: Use the SHA option since MD5 is not compliant. The following command defines the SNMPv3 console: snmp host [IP_address] version v3 user [name] udp-port 162 The following command enables SNMP on the management interface: enable-management service snmp management
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer