For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
From Juniper SRX SG NDM Security Technical Implementation Guide
Part of SRG-APP-000412-NDM-000331
Associated with:
CCI-003123
SV-80945r1_rule
For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
Vulnerability discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. To protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption to must be configured to provide confidentiality. The Juniper SRX allows the use of SNMPv3 to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DoD-required version, but must be configured to be used securely.
Check content
Verify SNMPv3 is configured with privacy options.
[edit]
show snmp v3
If SNMPv3, AES encryption, and other privacy options are not configured, this is a finding.
Fix text
Configure SNMP to use version 3 with privacy options. The following is an example.
[edit]
set snmp location
set snmp v3 usm local-engine user privacy-AES128
set snmp v3 vacm security-to-group security-model usm security-name group
set snmp v3 vacm access group default-context-prefix security-model usm
security-level privacy read-view all
set snmp v3 vacm access group default-context-prefix security-model usm
security-level privacy notify-view all
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer