UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network element must only allow SNMP access from addresses belonging to the management network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3021 NET0890 SV-15332r2_rule Medium
Description
Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and possibly gain access to network devices.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2017-06-27

Details

Check Text ( C-12798r3_chk )
Review device configuration and verify that it is configured to only allow SNMP access from only addresses belonging to the management network. The following examples for SNMP v1, 2, and 3 depict the use of an ACL to restrict SNMP access to the device.

SNMP v1/v2c Configuration Example

The example ACL NMS_LIST is used to define what network management stations can access the device for write and read only (poll).

ip access-list standard NMS_LIST
permit 10.1.1.24
permit 10.1.1.22
permit 10.1.1.23
!
snmp-server community ourCommStr RO RW NMS_LIST
snmp-server community write_pw RW NMS_LIST
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.1.1.1 trap_comm_string

Note: If you enter the snmp-server host command with no keywords, the default is version 1 and to send all enabled traps to the host. No informs will be sent to this host. If no traps or informs keyword is present, traps are sent.

SNMP v3 Configuration Example

The example ACL NMS_LIST and ADMIN_LIST are used to define what network management stations and administrator (users) desktops can access the device.

ip access-list standard ADMIN_LIST
permit 10.1.1.35
permit 10.1.1.36
ip access-list standard NMS_LIST
permit 10.1.1.24
permit 10.1.1.22
permit 10.1.1.23
!
snmp-server group NOC v3 priv read VIEW_ALL write VIEW_LIMIT access NMS_LIST
snmp-server group TRAP_GROUP v3 priv notify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server group ADMIN_GROUP v3 priv read VIEW_ALL write VIEW_ALL access ADMIN_LIST
snmp-server view VIEW_ALL internet included
snmp-server view VIEW_LIMIT internet included
snmp-server view VIEW_LIMIT internet.6.3.15 excluded
snmp-server view VIEW_LIMIT internet.6.3.16 excluded
snmp-server view VIEW_LIMIT internet.6.3.18 excluded
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.1.1.24 version 3 priv TRAP_NMS1

Note: For the configured group TRAP_GROUP, the notify view is auto-generated by the snmp-server host command which bind the user (TRAP_NMS1) and the group it belongs to (TRAP_GROUP) to the list of notifications (traps or informs) which are sent to the host. Hence, the configuration snmp-server group TRAP_GROUP v3 results in the following:
snmp-server group TRAP_GROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F


Note: Not required but for illustration purpose, the VIEW_LIMIT excludes MIB objects which could potentially reveal information about configured SNMP credentials. These objects are snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB which is configured as 1.3.6.1.6.3.15, 1.3.6.1.6.3.16, and 1.3.6.1.6.3.18 respectively


Note that SNMPv3 users are not shown in a running configuration. You can view them with the show snmp user command. So for example, if the following users were configured as such.

snmp-server user HP_OV NOC v3 auth sha HPOVpswd priv aes 256 HPOVsecretkey
snmp-server user Admin1 ADMIN_GROUP v3 auth sha Admin1PW priv aes 256 Admin1key
snmp-server user Admin2 ADMIN_GROUP v3 auth md5 Admin2pass priv 3des Admin2key
snmp-server user TRAP_NMS1 TRAP_GROUP v3 auth sha trap_nms1_pw priv aes trap_nms1_key

The show snmp user command would depict the configured users as follows:

R1#show snmp user

User name: HP_OV
Engine ID: AB12CD34EF56
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: NOC

User name: Admin1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: ADMIN_GROUP

User name: Admin2
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ADMIN_GROUP

User name: TRAP_NMS1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: TRAP_GROUP

R1#
Fix Text (F-3046r4_fix)
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.