Details

Do not allow unauthenticated SNMPv3 access.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages. Authentication in SNMPv3 is performed using Keyed-Hash Message Authentication Code or HMAC. This technique uses a cryptographic hash function in combination with a secret key to authenticate and ensure the integrity of a given message.

JUNOS supports the MD5 and SHA1 hash functions for use in SNMPv3 authentication. MD5 is an older protocol which has shown significant vulnerability in recent years, so the more recent and more trusted SHA1 should be used.

NOTE: SNMPv3 does not appear to be configured on the target. This check is not applicable.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command from the [edit snmp v3 usm local-engine] hierarchy;

[edit snmp v3 usm local-engine]
[email protected]#set user authentication-sha authentication-password

Default Value:

No SNMP communities are set by default on most platforms.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|16.4

Source

• Tenable.com/audits