The network element must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3196	NET1660	SV-3196r2_rule	ECSC-1	High

Description
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.

STIG	Date
IDS/IPS Security Technical Implementation Guide	2013-10-08

Details

Check Text ( C-3820r5_chk )
Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption. If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II. To verify the appropriate patches on CISCO devices: Check the following IAVMs associated with SNMPv1: 1. 2001-B-0001 (V0005809) Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability 2. 2002-A-SNMP-001 (V0005835) Multiple Simple Network Management Protocol Vulnerabilities in Perimeter Devices (Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities) To verify the appropriate patches on other vendors refer to this web site: http://www.cert.org/advisories/CA-2002-03.html. If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III. If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.

Check Text ( C-3820r5_chk )

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption.

If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II.

To verify the appropriate patches on CISCO devices: Check the following IAVMs associated with SNMPv1:

1. 2001-B-0001 (V0005809) Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability
2. 2002-A-SNMP-001 (V0005835) Multiple Simple Network Management Protocol Vulnerabilities in Perimeter Devices (Cisco Security Advisory: Malformed SNMP Message-Handling Vulnerabilities)

To verify the appropriate patches on other vendors refer to this web site: http://www.cert.org/advisories/CA-2002-03.html.

If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III.

If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.

Fix Text (F-3221r3_fix)
If SNMP is enabled, configure the network element to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).