The network device must only allow SNMP read-only access.

From Perimeter Router Security Technical Implementation Guide Cisco

Part of Network element must only allow SNMP read access.

Associated with IA controls: ECSC-1

SV-30086r3_rule The network device must only allow SNMP read-only access.

Vulnerability discussion

Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.

Check content

Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a finding. SNMP v1/v2c Configuration Example Device# show run ! ip access-list standard NMS_LIST permit 10.1.1.22 permit 10.1.1.24 ! snmp-server community c0macc3ss RO NMS_LIST snmp-server community R34dWr1t3 RW NMS_LIST snmp-server location Somewhere USA snmp-server contact snmp.admin@snmp.mil snmp-server enable traps snmp host 10.1.1.22 traps SNMPv1 snmp host 10.1.1.24 traps SNMPv2c SNMP v3 Configuration Example The example ACL NMS_LIST and ADMIN_LIST are used to define what network management stations and administrator (users) desktops can access the device. Examine all group statements to determine what groups are allowed write access. Have the administrator enter a "show snmp user" command and examine all users for these groups to verify that they must be authenticated. Device# show run ! ip access-list standard ADMIN_LIST permit 10.1.1.35 permit 10.1.1.36 ip access-list standard NMS_LIST permit 10.1.1.24 permit 10.1.1.22 permit 10.1.1.23 ! snmp-server group NOC v3 priv read VIEW_ALL write VIEW_LIMIT access NMS_LIST snmp-server group TRAP_GROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server group ADMIN_GROUP v3 priv read VIEW_ALL write VIEW_ALL access ADMIN_LIST snmp-server view VIEW_ALL internet included snmp-server view VIEW_LIMIT internet included snmp-server view VIEW_LIMIT internet.6.3.15 excluded snmp-server view VIEW_LIMIT internet.6.3.16 excluded snmp-server view VIEW_LIMIT internet.6.3.18 excluded snmp-server enable traps snmp linkdown linkup snmp-server host 10.1.1.24 version 3 priv TRAP_NMS1 Note: For the configured group TRAP_GROUP, the notify view is auto-generated by the snmp-server host command which bind the user (TRAP_NMS1) and the group it belongs to (TRAP_GROUP) to the list of notifications (traps or informs) which are sent to the host. Hence, the configuration snmp-server group TRAP_GROUP v3 results in the following: snmp-server group TRAP_GROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F Note: Also, for illustration purpose only, the VIEW_LIMIT excludes MIB objects which could potentially reveal information about configured SNMP credentials. These objects are snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB which is configured as 1.3.6.1.6.3.15, 1.3.6.1.6.3.16, and 1.3.6.1.6.3.18 respectively SNMPv3 users are not shown in a running configuration. You can view them with the show "snmp user" command. So for example, if the following users were configured as such. snmp-server user HP_OV NOC v3 auth sha HPOVpswd priv aes 256 HPOVsecretkey snmp-server user Admin1 ADMIN_GROUP v3 auth sha Admin1PW priv aes 256 Admin1key snmp-server user Admin2 ADMIN_GROUP v3 auth md5 Admin2pass priv 3des Admin2key snmp-server user TRAP_NMS1 TRAP_GROUP v3 auth sha trap_nms1_pw priv aes trap_nms1_key The show snmp user command would depict the configured users as follows: Device#show snmp user User name: HP_OV Engine ID: AB12CD34EF56 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: NOC User name: Admin1 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: ADMIN_GROUP User name: Admin2 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: 3DES Group-name: ADMIN_GROUP User name: TRAP_NMS1 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: TRAP_GROUP

Fix text

Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer