Check: AADC-NM-000119
A10 Networks ADC NDM STIG:
AADC-NM-000119
(in version v1 r1)
Title
The A10 Networks ADC must not use SNMP Versions 1 or 2. (Cat I impact)
Discussion
SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network. SNMP Versions 1 and 2 cannot authenticate the source of a message nor can they provide encryption. Without authentication, it is possible for unauthorized users to exercise SNMP network management functions. It is also possible for unauthorized users to eavesdrop on management information as it passes from managed systems to the management system. The A10 Networks ADC platforms support SNMPv3. The SNMP service is disabled by default and all traps are disabled by default. SNMP and SNMP trap are disabled on all data interfaces. Use the enable-management command to enable SNMP on the management interface. The OID for A10 Networks A10 Thunder Series and AX Series objects is 1.3.6.1.4.1.22610. Note: A10 Networks devices do not support SNMP “write” commands; this reduces the risk of the device configuration being modified by SNMP.
Check Content
Review the device configuration. The following command shows the running configuration and filters the output on the string "snmp-server": show run | inc snmp-server If the output shows servers using SNMPv1 or SNMPv2, this is a finding.
Fix Text
The following commands enable SNMP and SNMP traps: snmp-server enable snmp-server enable traps Note: This will enable sending all traps. The following command sets Unique engineID: snmp-server engineID [hex-string] The commands below define SNMP OIDs to include when discovering the device via an SNMPv3 manager. The following command defines the group view: snmp-server view [view-name] 1.3.6 included The following command defines SNMPv3 user-based groups: snmp-server user [username] group [groupname] v3 [auth [md5 | sha] password [encrypted]]: Note: Use the SHA option since MD5 is not compliant. The following command defines the SNMPv3 console: snmp host [IP_address] version v3 user [name] udp-port 162 The following command enables SNMP on the management interface: enable-management service snmp management
Additional Identifiers
Rule ID: SV-82579r1_rule
Vulnerability ID: V-68089
Group Title: SRG-APP-000412-NDM-000331
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
Number | Title |
---|---|
MA-4 (6) |
Cryptographic Protection |