5.6 Ensure AES128 is set for all SNMPv3 users

Information

Do not allow plaintext SNMPv3 access.

Rationale:

SNMPv3 provides much improved security over previous versions by offering options for Authentication and Encryption of messages.

When configuring a user for SNMPv3 you have the option of using a range of encryption schemes, or no encryption at all, to protect messages in transit. The strongest scheme available is AES128 and this should be configured for all SNMPv3 'users' on all sensitive devices.

NOTE: SNMPv3 does not appear to be configured on the target. This check is not applicable.

Solution

For each SNMPv3 user created on your router add privacy options by issuing the following command from the [edit snmp v3 usm local-engine] hierarchy;

[edit snmp v3 usm local-engine]
user@host#set user <username> privacy-aes128 privacy-password <password>

Default Value:

No SNMP is configured by default on most platforms.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv7|14.4

Plugin: Juniper

Control ID: 0206a40bf6e94afd00e6b34c1052c1d5f68d4b901efe35334addf79bb211e1d3