5.7 Ensure SHA1 is set for SNMPv3 authentication

Information

Do not allow unauthenticated SNMPv3 access.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages. Authentication in SNMPv3 is performed using Keyed-Hash Message Authentication Code or HMAC. This technique uses a cryptographic hash function in combination with a secret key to authenticate and ensure the integrity of a given message.

JUNOS supports the MD5 and SHA1 hash functions for use in SNMPv3 authentication. MD5 is an older protocol which has shown significant vulnerability in recent years, so the more recent and more trusted SHA1 should be used.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command from the [edit snmp v3 usm local-engine] hierarchy;

[edit snmp v3 usm local-engine]
user@host#set user <username> authentication-sha authentication-password <password>

Default Value:

No SNMP communities are set by default on most platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 7c252528ddb2350263be0e6d0585108c3c2788f43ae274216617bfef1bb3cb06