For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.

From Juniper SRX SG NDM Security Technical Implementation Guide

Associated with: CCI-002890

SV-80943r1_rule For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.

Vulnerability discussion

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The Juniper SRX allows the use of SNMP to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.

Check content

Verify SNMP is configured for version 3. [edit] show snmp v3 If SNMPv3 is not configured for version 3 using SHA, this is a finding.

Fix text

Configure snmp to use version 3 with SHA authentication. [edit] set snmp v3 usm local-engine user authentication-sha

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.