Details
Do not allow Read-Write SNMP access.
Rationale:
SNMP can be used to read and write configuration information from a router using your Network Management Systems; however the inherently insecure design of the older SNMP V1, V2 and V2C standards, which do not use encryption to protect community strings, make their use for setting configuration an open invitation to an attacker.
Even the more recent SNMPv3, which introduces encryption, authentication and message integrity checking, does not provide support for centralized authentication, account lockout or other basic security measures applied to other methods to access the router. This leaves the router vulnerable to brute force attack. The use of UDP as the transport mechanism in SNMP also makes spoofing the source of an SNMP request far simpler, easing brute force or flooding attacks.
Solution
If you have deployed SNMP below Version 3 on your router with Read-Write access, delete the associated community using the following command under the [edit snmp] hierarchy;
[edit snmp]
[email protected]#delete community
Alternatively you can set the communities authorization level to Read Only with the following command from the [edit snmp
[edit snmp]
[email protected]#set community
If you have deployed SNMP Version 3 on your router with Write access, delete the write view using the following command under the [edit snmp v3 vacm access] hierarchy;
[edit snmp v3 vacm access]
[email protected]#delete group
Complete the sections in <> with the details configured for your group/s. This command will leave any read or notify views for the group in place. If only a write-view is configured, the group can be deleted instead.
Default Value:
No SNMP communities are set by default on most platforms.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.