Details

Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.

Solution

Configure the router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below.

[edit snmp]
set v3 usm local-engine user R5_NMS authentication-sha authentication-password xxxxxxxxxx
set v3 usm local-engine user R5_NMS privacy-aes128 privacy-password xxxxxxxxxx
set v3 target-address NMS_HOST address 10.1.58.2
edit v3 target-address NMS_HOST

[edit snmp v3 target-address NMS_HOST]
set address-mask 255.255.255.0
set tag-list NMS
set target-parameters TP1
exit

[edit snmp]
set v3 target-parameters TP1 parameters message-processing-model v3
set v3 target-parameters TP1 parameters security-model usm
set v3 target-parameters TP1 parameters security-name R5_NMS
set v3 target-parameters TP1 parameters security-level privacy
set v3 snmp-community index1 security-name R5_NMS tag NMS
set v3 notify SEND_TRAPS type trap tag NMS

Note: SNMPv3 security level privacy also authenticates the messages using the configured HMAC; hence, the authentication key must also be configured as shown in the example above.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y21M02_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y21M02_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Juniper.

References

• 800-53|AC-17(2)
• CAT|II
• CCI|CCI-000068
• Rule-ID|SV-101265r1_rule
• STIG-ID|JUNI-ND-001130
• Vuln-ID|V-91165

Source

• Tenable.com/audits