Details

Do not allow plaintext SNMPv3 access.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages.

When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. The strongest scheme available is AES128 and this should be configured for all SNMPv3 ‘users’ on all sensitive devices.

NOTE: SNMPv3 does not appear to be configured on the target. This check is not applicable.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command from the [edit snmp v3 usm local-engine] hierarchy;

[edit snmp v3 usm local-engine]
[email protected]#set user privacy-aes128 privacy-password

Default Value:

No SNMP is configured by default on most platforms.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.

References

• 800-53|SC-8
• CSCv7|14.4

Source

• Tenable.com/audits