NET0894 - Network element must only allow SNMP read access - 'community RW

Information

The network device must only allow SNMP read-only access.

Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations.

Review the network device configuration and verify SNMP community strings are read-only when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3. If write-access is used for SNMP versions 1, 2c, or 3 noAuth or Priv mode and there is no documented approval by the IAO, this is a finding.

Solution

Configure the network device to allow for read-only SNMP access when using SNMPv1, v2c, or basic v3 (no authentication or privacy). Write access may be used if authentication is configured when using SNMPv3.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, Rule-ID|SV-3969r5_rule, STIG-ID|NET0894, Vuln-ID|V-3969

Plugin: Cisco

Control ID: b7d98e472efca6d2c93a8345463ba0f2ba1c8baec1d4164e9350df769a54868f