The network element must only allow SNMP access from addresses belonging to the management network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3021	NET0890	SV-15332r2_rule		Medium

Description
Detailed information about the network is sent across the network via SNMP. If this information is discovered by attackers it could be used to trace the network, show the networks topology, and possibly gain access to network devices.

STIG	Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco	2018-11-28

Details

Check Text ( C-12798r3_chk )
Review device configuration and verify that it is configured to only allow SNMP access from only addresses belonging to the management network. The following examples for SNMP v1, 2, and 3 depict the use of an ACL to restrict SNMP access to the device. SNMP v1/v2c Configuration Example The example ACL NMS_LIST is used to define what network management stations can access the device for write and read only (poll). ip access-list standard NMS_LIST permit 10.1.1.24 permit 10.1.1.22 permit 10.1.1.23 ! snmp-server community ourCommStr RO RW NMS_LIST snmp-server community write_pw RW NMS_LIST snmp-server enable traps snmp linkdown linkup snmp-server host 10.1.1.1 trap_comm_string Note: If you enter the snmp-server host command with no keywords, the default is version 1 and to send all enabled traps to the host. No informs will be sent to this host. If no traps or informs keyword is present, traps are sent. SNMP v3 Configuration Example The example ACL NMS_LIST and ADMIN_LIST are used to define what network management stations and administrator (users) desktops can access the device. ip access-list standard ADMIN_LIST permit 10.1.1.35 permit 10.1.1.36 ip access-list standard NMS_LIST permit 10.1.1.24 permit 10.1.1.22 permit 10.1.1.23 ! snmp-server group NOC v3 priv read VIEW_ALL write VIEW_LIMIT access NMS_LIST snmp-server group TRAP_GROUP v3 priv notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F snmp-server group ADMIN_GROUP v3 priv read VIEW_ALL write VIEW_ALL access ADMIN_LIST snmp-server view VIEW_ALL internet included snmp-server view VIEW_LIMIT internet included snmp-server view VIEW_LIMIT internet.6.3.15 excluded snmp-server view VIEW_LIMIT internet.6.3.16 excluded snmp-server view VIEW_LIMIT internet.6.3.18 excluded snmp-server enable traps snmp linkdown linkup snmp-server host 10.1.1.24 version 3 priv TRAP_NMS1 Note: For the configured group TRAP_GROUP, the notify view is auto-generated by the snmp-server host command which bind the user (TRAP_NMS1) and the group it belongs to (TRAP_GROUP) to the list of notifications (traps or informs) which are sent to the host. Hence, the configuration snmp-server group TRAP_GROUP v3 results in the following: snmp-server group TRAP_GROUP v3 priv notify tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F Note: Not required but for illustration purpose, the VIEW_LIMIT excludes MIB objects which could potentially reveal information about configured SNMP credentials. These objects are snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB which is configured as 1.3.6.1.6.3.15, 1.3.6.1.6.3.16, and 1.3.6.1.6.3.18 respectively Note that SNMPv3 users are not shown in a running configuration. You can view them with the show snmp user command. So for example, if the following users were configured as such. snmp-server user HP_OV NOC v3 auth sha HPOVpswd priv aes 256 HPOVsecretkey snmp-server user Admin1 ADMIN_GROUP v3 auth sha Admin1PW priv aes 256 Admin1key snmp-server user Admin2 ADMIN_GROUP v3 auth md5 Admin2pass priv 3des Admin2key snmp-server user TRAP_NMS1 TRAP_GROUP v3 auth sha trap_nms1_pw priv aes trap_nms1_key The show snmp user command would depict the configured users as follows: R1#show snmp user User name: HP_OV Engine ID: AB12CD34EF56 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: NOC User name: Admin1 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: ADMIN_GROUP User name: Admin2 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: 3DES Group-name: ADMIN_GROUP User name: TRAP_NMS1 Engine ID: 800000090300C20013080000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: TRAP_GROUP R1#

Check Text ( C-12798r3_chk )

Review device configuration and verify that it is configured to only allow SNMP access from only addresses belonging to the management network. The following examples for SNMP v1, 2, and 3 depict the use of an ACL to restrict SNMP access to the device.

SNMP v1/v2c Configuration Example

The example ACL NMS_LIST is used to define what network management stations can access the device for write and read only (poll).

ip access-list standard NMS_LIST
permit 10.1.1.24
permit 10.1.1.22
permit 10.1.1.23
!
snmp-server community ourCommStr RO RW NMS_LIST
snmp-server community write_pw RW NMS_LIST
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.1.1.1 trap_comm_string

Note: If you enter the snmp-server host command with no keywords, the default is version 1 and to send all enabled traps to the host. No informs will be sent to this host. If no traps or informs keyword is present, traps are sent.

SNMP v3 Configuration Example

The example ACL NMS_LIST and ADMIN_LIST are used to define what network management stations and administrator (users) desktops can access the device.

ip access-list standard ADMIN_LIST
permit 10.1.1.35
permit 10.1.1.36
ip access-list standard NMS_LIST
permit 10.1.1.24
permit 10.1.1.22
permit 10.1.1.23
!
snmp-server group NOC v3 priv read VIEW_ALL write VIEW_LIMIT access NMS_LIST
snmp-server group TRAP_GROUP v3 priv notify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server group ADMIN_GROUP v3 priv read VIEW_ALL write VIEW_ALL access ADMIN_LIST
snmp-server view VIEW_ALL internet included
snmp-server view VIEW_LIMIT internet included
snmp-server view VIEW_LIMIT internet.6.3.15 excluded
snmp-server view VIEW_LIMIT internet.6.3.16 excluded
snmp-server view VIEW_LIMIT internet.6.3.18 excluded
snmp-server enable traps snmp linkdown linkup
snmp-server host 10.1.1.24 version 3 priv TRAP_NMS1

Note: For the configured group TRAP_GROUP, the notify view is auto-generated by the snmp-server host command which bind the user (TRAP_NMS1) and the group it belongs to (TRAP_GROUP) to the list of notifications (traps or informs) which are sent to the host. Hence, the configuration snmp-server group TRAP_GROUP v3 results in the following:
snmp-server group TRAP_GROUP v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

Note: Not required but for illustration purpose, the VIEW_LIMIT excludes MIB objects which could potentially reveal information about configured SNMP credentials. These objects are snmpUsmMIB, snmpVacmMIB, and snmpCommunityMIB which is configured as 1.3.6.1.6.3.15, 1.3.6.1.6.3.16, and 1.3.6.1.6.3.18 respectively

Note that SNMPv3 users are not shown in a running configuration. You can view them with the show snmp user command. So for example, if the following users were configured as such.

snmp-server user HP_OV NOC v3 auth sha HPOVpswd priv aes 256 HPOVsecretkey
snmp-server user Admin1 ADMIN_GROUP v3 auth sha Admin1PW priv aes 256 Admin1key
snmp-server user Admin2 ADMIN_GROUP v3 auth md5 Admin2pass priv 3des Admin2key
snmp-server user TRAP_NMS1 TRAP_GROUP v3 auth sha trap_nms1_pw priv aes trap_nms1_key

The show snmp user command would depict the configured users as follows:

R1#show snmp user

User name: HP_OV
Engine ID: AB12CD34EF56
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: NOC

User name: Admin1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: ADMIN_GROUP

User name: Admin2
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: ADMIN_GROUP

User name: TRAP_NMS1
Engine ID: 800000090300C20013080000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: TRAP_GROUP

R1#

Fix Text (F-3046r4_fix)
Configure the network devices to only allow SNMP access from only addresses belonging to the management network.