The Cisco IOS XE router must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74087	CISR-ND-000143	SV-88761r2_rule		Medium

Description
If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the HP FlexFabric Switch must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the switch sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.

Description

If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the HP FlexFabric Switch must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the switch sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.

STIG	Date
Cisco IOS XE Release 3 NDM Security Technical Implementation Guide	2018-12-20

Details

Check Text ( C-74179r3_chk )
Verify that the Cisco IOS XE router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below: snmp-server enable traps snmp-server host x.x.x.x version 3 auth xxxxxxxxx snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP Note: In the example above, the following values are used hypothetically: Username for SNMP Manager: TRAP_NMS1 Group for SNMP Manager: TRAP_GROUP User password for HMAC authentication: AAAAPPPP User password for encryption: EEEEPPPP AES key length: 128 If the router is not configured to send traps to the SNMP manager, this is a finding.

Check Text ( C-74179r3_chk )

Verify that the Cisco IOS XE router is configured to send traps to the SNMP manager.

The SNMP configuration should contain commands similar to the example below:

snmp-server enable traps
snmp-server host x.x.x.x version 3 auth xxxxxxxxx
snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP

Note: In the example above, the following values are used hypothetically:

Username for SNMP Manager: TRAP_NMS1
Group for SNMP Manager: TRAP_GROUP
User password for HMAC authentication: AAAAPPPP
User password for encryption: EEEEPPPP
AES key length: 128

If the router is not configured to send traps to the SNMP manager, this is a finding.

Fix Text (F-80627r2_fix)
Configure the Cisco IOS XE router to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below: snmp-server enable traps snmp-server host x.x.x.x version 3 auth xxxxxxxxx snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP Note: In the example above, the following values are used hypothetically: Username for SNMP Manager: TRAP_NMS1 Group for SNMP Manager: TRAP_GROUP User password for HMAC authentication: AAAAPPPP User password for encryption: EEEEPPPP AES key length: 128

Fix Text (F-80627r2_fix)

Configure the Cisco IOS XE router to send traps to the SNMP manager.

The SNMP configuration should contain commands similar to the example below:

snmp-server enable traps
snmp-server host x.x.x.x version 3 auth xxxxxxxxx
snmp-server user TRAP_NMS1 TRAP_GROUP v3 encrypted auth sha AAAAPPPP priv aes 128 EEEEPPPP

Note: In the example above, the following values are used hypothetically:

Username for SNMP Manager: TRAP_NMS1
Group for SNMP Manager: TRAP_GROUP
User password for HMAC authentication: AAAAPPPP
User password for encryption: EEEEPPPP
AES key length: 128