From Juniper Router NDM Security Technical Implementation Guide
Part of SRG-APP-000516-NDM-000317
Associated with: CCI-000366
If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of any router components, the router must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the switch sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.
Verify that the router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below. snmp { v3 { … … … } target-address NMS_HOST { address x.x.x.x; address-mask 255.255.255.0; tag-list NMS; } … … … } notify SEND_TRAPS { type trap; tag NMS; } snmp-community index1 { security-name R5_NMS; tag NMS; } } } If the router is not configured to send traps to the SNMP manager, this is a finding.
Configure the router to send SNMP traps to the SNMP manager. [edit snmp] set v3 target-address NMS_HOST address x.x.x.x edit v3 target-address NMS_HOST [edit snmp v3 target-address NMS_HOST] set address-mask 255.255.255.0 set tag-list NMS exit [edit snmp] set v3 notify SEND_TRAPS type trap tag NMS
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer