5.5 Ensure SNMP Write Access is not set

Information

Do not allow Read-Write SNMP access.

Rationale:

SNMP can be used to read and write configuration information from a router using your Network Management Systems; however the inherently insecure design of the older SNMP V1, V2 and V2C standards, which do not use encryption to protect community strings, make their use for setting configuration an open invitation to an attacker.

Even the more recent SNMPv3, which introduces encryption, authentication and message integrity checking, does not provide support for centralized authentication, account lockout or other basic security measures applied to other methods to access the router. This leaves the router vulnerable to brute force attack. The use of UDP as the transport mechanism in SNMP also makes spoofing the source of an SNMP request far simpler, easing brute force or flooding attacks.

Solution

If you have deployed SNMP below Version 3 on your router with Read-Write access, delete the associated community using the following command under the [edit snmp] hierarchy;

[edit snmp]
user@host#delete community <community>

Alternatively you can set the communities authorization level to Read Only with the following command from the [edit snmp <community>] hierarchy;

[edit snmp]
user@host#set community <community> authorization read-only

If you have deployed SNMP Version 3 on your router with Write access, delete the write view using the following command under the [edit snmp v3 vacm access] hierarchy;

[edit snmp v3 vacm access]
user@host#delete group <group name> default-context-prefix security-model <security model> security-level <security level> write-view

Complete the sections in <> with the details configured for your group/s. This command will leave any read or notify views for the group in place. If only a write-view is configured, the group can be deleted instead.

Default Value:

No SNMP communities are set by default on most platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-2, 800-53|SC-8, CSCv7|4, CSCv7|14.4

Plugin: Juniper

Control ID: 2e6411007e2b6acacb0de6876a76503d1a6412b8877fb506706de15f769c2fbf