UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-220501 CISC-ND-001140 SV-220501r940006_rule Medium
Description
Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.
STIG Date
Cisco NX OS Switch NDM Security Technical Implementation Guide 2024-02-06

Details

Check Text ( C-22216r940004_chk )
Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below:

snmp-server user NETOPS auth sha 5Er23@#as178 priv aes-128 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

snmp-server host 10.1.48.10 traps version 3 priv NETOPS

Encryption used by the SNMP users can be viewed via the show snmp user command as shown in the example below:

SW1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups acl_filter
____ ____ ___________ ______ __________
NETOPS sha aes-128 network-operator

If the Cisco switch is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.
Fix Text (F-22205r940005_fix)
Configure the Cisco switch to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below:

SW1(config)# snmp-server user NETOPS auth sha xxxxxxxxxxxxx priv aes-128 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

SW1(config)# snmp-server host 10.1.48.10 traps version 3 priv NETOPS