Details

Limit clients to access SNMP.

Rationale:

Even when limited to read only access, SNMP can provide an attacker with a wealth of information about your router and network topology.

To limit the potential for attacks against your routers SNMP service your client lists should be configured to deny any source address which is not explicitly permitted (by being added to the list).

NOTE: SNMP does not appear to be configured on the target. This check is not applicable.

Solution

To configure a client list issue the following command under the [edit snmp client-list ] hierarchy;

[edit snmp client-list ]
[email protected]#set default restrict

Note – Client-lists may also be defined directly under the [edit snmp community clients] hierarchy for use within the specified community with the same effect, but for ease of management and audit, the first method is preferred.

Default Value:

No SNMP communities are set by default on most platforms.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.

References

• 800-53|SC-3
• CSCv7|4.6

Source

• Tenable.com/audits