1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3

Information

Specify the use of a minimum of 128-bit AES algorithm for encryption when using SNMPv3.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages. When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. AES128 is the minimum strength encryption method that should be deployed.

Impact:

Organizations using SNMP can significantly reduce the risks of unauthorized access by using the 'snmp-server user' setting with appropriate authentication and privacy protocols to encrypt messages in transit.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command.

hostname(config)#snmp-server user {user_name} {group_name} v3 auth sha {auth_password} priv aes 128 {priv_password} {acl_name_or_number}

Default Value:

SNMP username as not set by default.

See Also

https://workbench.cisecurity.org/files/3762

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|4.5

Plugin: Cisco

Control ID: 9dfb6caa8956b46401ec161c13a153c6f63fc5b1e836557cf6f6640a806c8190