Details

Specify the use of a minimum of 128-bit AES algorithm for encryption when using SNMPv3.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages. When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. AES128 is the minimum strength encryption method that should be deployed.

Impact:

Organizations using SNMP can significantly reduce the risks of unauthorized access by using the ‘snmp-server user’ setting with appropriate authentication and privacy protocols to encrypt messages in transit.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command.

hostname(config)#snmp-server user {user_name} {group_name} v3 auth sha {auth_password} priv aes 128 {priv_password} {acl_name_or_number}

Default Value:

SNMP username as not set by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3156https://workbench.cisecurity.org/files/3156

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.

References

• 800-53|IA-2(1)
• CSCv6|3.4
• CSCv7|4.5

Source

• Tenable.com/audits