1.5.5 Set the ACL for each 'snmp-server community'

Information

This feature specifies a list of IP addresses that are allowed to use the community string to gain access to the SNMP agent.

Rationale:

If ACLs are not applied, then anyone with a valid SNMP community string can potentially monitor and manage the router. An ACL should be defined and applied for all SNMP access to limit access to a small number of authorized management stations segmented in a trusted management zone. If possible, use SNMPv3 which uses authentication, authorization, and data privatization (encryption).

Impact:

To reduce the risk of unauthorized access, Organizations should enable access control lists for all snmp-server communities and restrict the access to appropriate trusted management zones. If possible, implement SNMPv3 to apply authentication, authorization, and data privatization (encryption) for additional benefits to the organization.

Solution

Configure authorized SNMP community string and restrict access to authorized management systems.

hostname(config)#snmp-server community <<em>community_string</em>> ro {<em>snmp_access-list_number |
<span>snmp_access-list_name</span></em><span>}</span>

Default Value:

No ACL is set for SNMP

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Cisco

Control ID: 70c0b1acfafaf76c77e20ac212262a39eb61b4eedfce60c050b5150ffce465aa