Details

Specifies authentication of a packet with encryption when using SNMPv3

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages. When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. AES128 is the minimum strength encryption method that should be deployed.

Impact:

Organizations using SNMP can significantly reduce the risks of unauthorized access by using the ‘snmp-server group v3 priv’ setting to encrypt messages in transit.

Solution

For each SNMPv3 group created on your router add privacy options by issuing the following command…

hostname(config)#snmp-server group {group_name} v3 priv

Default Value:

No SNMP server groups are configured.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3160https://workbench.cisecurity.org/files/3160

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.

References

• 800-53|IA-2(1)
• CSCv6|3.4
• CSCv7|4.5

Source

• Tenable.com/audits