JUNI-ND-001130 - The Juniper router must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm - privacy-aes128

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.

Solution

Configure the router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below.

[edit snmp]
set v3 usm local-engine user R5_NMS authentication-sha authentication-password xxxxxxxxxx
set v3 usm local-engine user R5_NMS privacy-aes128 privacy-password xxxxxxxxxx
set v3 target-address NMS_HOST address 10.1.58.2
edit v3 target-address NMS_HOST

[edit snmp v3 target-address NMS_HOST]
set address-mask 255.255.255.0
set tag-list NMS
set target-parameters TP1
exit

[edit snmp]
set v3 target-parameters TP1 parameters message-processing-model v3
set v3 target-parameters TP1 parameters security-model usm
set v3 target-parameters TP1 parameters security-name R5_NMS
set v3 target-parameters TP1 parameters security-level privacy
set v3 snmp-community index1 security-name R5_NMS tag NMS
set v3 notify SEND_TRAPS type trap tag NMS

Note: SNMPv3 security level privacy also authenticates the messages using the configured HMAC; hence, the authentication key must also be configured as shown in the example above.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y21M02_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-101265r1_rule, STIG-ID|JUNI-ND-001130, Vuln-ID|V-91165

Plugin: Juniper

Control ID: d8aa13be2ffc4e6745db11c3a0f0c7e1849acb6b659da756c538fa193066eca5