The Juniper router must be configured to send SNMP traps and notifications to the SNMP manager for the purpose of sending alarms and notifying appropriate personnel as required by specific events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91197	JUNI-ND-001450	SV-101297r1_rule		Medium

Description
If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of any router components, the router must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the router sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.

Description

If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of any router components, the router must activate a system alert message, send an alarm, or shut down. By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the device. This can be facilitated by the router sending SNMP traps to the SNMP manager that can then have the necessary action taken by automatic or operator intervention.

STIG	Date
Juniper Router NDM Security Technical Implementation Guide	2019-12-10

Details

Check Text ( C-90351r2_chk )
Verify that the router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below. snmp { v3 { … … … } target-address NMS_HOST { address x.x.x.x; address-mask 255.255.255.0; tag-list NMS; } … … … } notify SEND_TRAPS { type trap; tag NMS; } snmp-community index1 { security-name R5_NMS; tag NMS; } } } If the router is not configured to send traps to the SNMP manager, this is a finding.

Check Text ( C-90351r2_chk )

Verify that the router is configured to send traps to the SNMP manager. The SNMP configuration should contain commands similar to the example below.

snmp {
v3 {
…
…
…
}
target-address NMS_HOST {
address x.x.x.x;
address-mask 255.255.255.0;
tag-list NMS;
}
…
…
…
}
notify SEND_TRAPS {
type trap;
tag NMS;
}
snmp-community index1 {
security-name R5_NMS;
tag NMS;
}
}
}

If the router is not configured to send traps to the SNMP manager, this is a finding.

Fix Text (F-97395r2_fix)
Configure the router to send SNMP traps to the SNMP manager. [edit snmp] set v3 target-address NMS_HOST address x.x.x.x edit v3 target-address NMS_HOST [edit snmp v3 target-address NMS_HOST] set address-mask 255.255.255.0 set tag-list NMS exit [edit snmp] set v3 notify SEND_TRAPS type trap tag NMS