Details

SNMP should only be configured on required interfaces.

Rationale:

By default the SNMP service will listen for incoming connections on all interfaces which have an IP Address configured, exposing SNMP to users on all networks through which the router is reachable.

In most cases the router should only be manageable over some of its interfaces; in particular a router providing connectivity to untrusted networks such as the Internet should only be manageable from trusted sources.

Solution

To restrict SNMP to required interfaces issue the following command from the [edit snmp] hierarchy;

[edit snmp]
[email protected]#set interface

Default Value:

By default SNMP, when configured, is accessible over all configured interfaces.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.

References

• 800-53|SC-7(15)
• CSCv7|11.7

Source

• Tenable.com/audits