The network device must only allow SNMP read-only access.

From Infrastructure Router Security Technical Implementation Guide Juniper

Part of Network element must only allow SNMP read access.

Associated with IA controls: ECSC-1

SV-30087r3_rule The network device must only allow SNMP read-only access.

Vulnerability discussion

Enabling write access to the router via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.

Check content

Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3-noAuthNoPriv mode and there is no documented approval by the IAO, this is a finding. The SNMP V1 configuration should look similar to the following: snmp { interface ge-0/1/0.0; community xxxxxxxxx { authorization read-only; clients { default restrict; 7.7.7.5/30; } } SNMPv3 access sets the SNMP access levels by context, group, and user. The context-name statement determines what management information is accessible by an SNMP entity. An SNMP entity can have access to many access contexts and therefore requires a name to identify each context. You must also associate a context with a specific access group and configure read and write views associated with each group. Specify the group-name variable to identify a collection of SNMP users that share the same access policy, in which object identifiers (OIDs) are read-accessible or write-accessible. Each group is the collection of users associated with the security model. You can only specify the model usm. The example below as a “router context” which is accessed by two groups: NOC and engineers. NOC is only allowed read access while engineers have read and write access. John and Sue are users that belong to the engineers group and have authentication configured. snmp { view all { oid .1.3.6.1 include; } engine-id { local "isp-routers-0001"; } access { user john { authentication-type md5; authentication-password "john-auth-password"; privacy-type des; privacy-password "john-privacy-password"; } user sue { authentication-type md5; authentication-password "sue-auth-password"; privacy-type des; privacy-password "sue-privacy-password"; } user hpov { authentication-type md5; authentication-password "hpov-auth-password"; privacy-type des; privacy-password "hpov-privacy-password"; } group engineers { model usm; user [john sue]; } group noc { model usm; user hpov; } context router { description “a router context”; group noc { model usm; security-level privacy; read-view all; } group engineers { model usm; security-level privacy; read-view all; write-view all; } } }

Fix text

Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer