5.2 Ensure SNMPv1/2 are set to Read Only

Information

Do not allow Read-Write SNMP access for versions below SNMPv3.

Rationale:

SNMP can be used to read and write configuration information from a router using your Network Management Systems; however the inherently insecure design of the older SNMP V1, V2 and V2C standards, which do not use encryption to protect community strings, make their use for setting configuration an open invitation to an attacker.

While, by default, a JUNOS router configured for SNMP Write access provides access only to Ping or Traceroute from the router, these still provide a potential source of information about your network or avenue for further attack so should not be permitted. Additional SNMP Management Information Base (MIB) views might be configured which, were Write access permitted, would allow an attacker to disable interfaces, change routing configuration or change anything else that you might do from the command line.

If an NMS is being used to configure routers via SNMP write access it should only do so via SNMPv3, which is significantly more secure.

Solution

If you have deployed SNMP below Version 3 on your router with Read-Write access, delete the associated community using the following command under the [edit snmp] hierarchy;

[edit snmp]
user@host#delete community <community>

Alternatively you can set the communities authorization level to Read Only with the following command from the [edit snmp <community>] hierarchy;

[edit snmp]
user@host#set community <community> authorization read-only

Default Value:

No SNMP communities are set by default on most platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Juniper

Control ID: dd3ff25d654ae2cb9845d4a18786989f3a55c3b94bb91a0ce1d50b043e6bcad3