5.3 Ensure a client list is set for SNMPv1/v2 communities

Information

Limit clients to access SNMP.

Rationale:

Even when limited to read only access, SNMP can provide an attacker with a wealth of information about your router and network topology.

To limit the potential for attacks against your routers SNMP service you should limit the IP addresses that are permitted to connect using a client-list. This ensure that individual community strings are used to authenticate only by the systems in the list, providing granular access control that should be applied in addition to any firewall filter.

Solution

To configure a client list issue the following command under the [edit snmp] hierarchy;

[edit snmp]
user@host#edit client-list <client list name>

[edit snmp client-list <client list name>]
user@host#set default restrict
user@host#set <ip address/range>
user@host#set <ip address> restrict #optionally add exceptions
user@host#up 1

[edit snmp]
user@host#edit community <community name>

[edit snmp community <community name>]
user@host#set client-list-name <community name>

The set default restrict is covered in detail in the next recommendation.
Additional IP Addresses may be permitted by repeating the set <ip address/range> command as needed.
Optionally, addresses that you wish to deny from within a permitted range previously set can be configured with the set <ip address> restrict command.
Note - Client-lists may also be defined directly under the [edit snmp community <community name> clients] hierarchy for use within the specified community with the same effect, but for ease of management and audit, the first method is preferred.

Default Value:

No SNMP communities are set by default on most platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-3, 800-53|SC-7(15), CSCv7|4.6, CSCv7|11.7

Plugin: Juniper

Control ID: b33506007f871456d451fca3fcb69d9a09d56ae6387ac91e24bbd3b125735b9f