1.5.5 Set the ACL for each 'snmp-server community'

Information

This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.

If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).

Solution

Configure authorized SNMP community string and restrict access to authorized management systems.

hostname(config)#snmp-server community <<em>community_string</em>> ro {<em>snmp_access-list_number |
<span>snmp_access-list_name</span></em><span>}</span>

Impact:

To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization.

See Also

https://workbench.cisecurity.org/benchmarks/17130

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17(3), 800-53|SI-7, CSCv7|11.7

Plugin: Cisco

Control ID: b86c8031b3694308b372f95f8ccaf2b9d73c4599be4fc63ffdc85245f18d62b7