1.5.1 If SNMPv2 is in use, use a Complex Community String

Information

SNMP v2 while similar to v1 aside from adding support for 64 bit counters and the ability to use complex strings.

Rationale:

Utilizing complex strings with SNMPv2 is no different then using complex passwords. By using the complex string you are making it more difficult for an attacker to guess the string. Strings should not contain dictionary words or rely on 'l33t-speak' spelling. Keep in mind that SNMPv2 is a clear-text protocol, so is subject to interception. This means that these strings are passed in clear-text during SNMPv2 operations, so can be 'harvested' by a well-positioned attacker. Also SNMP results are susceptible to capture or modification in transit.

Solution

switch(config)# snmp-server community <SomeComplexString> ro

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, CSCv7|5.1

Plugin: Cisco

Control ID: 3ac62dd401cbc09d2d439605359d82a4e3d00c049f63dcb3e456ad561289fb53