Title

The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. (Cat I impact)

Discussion

Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.

Check Content

If an SNMP stanza does not exist, this is not a finding. 1. Use the command line interface to view the current SNMP configuration. show startup-config 2. Search for the keyword SNMP. If versions earlier than SNMPv3 are enabled, this is a finding. If SNMPv3 is not configured to meet DoD requirements, this is a finding.

Fix Text

If SNMP is used by the organization, then SNMP is configured at the command line interface. To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command. no snmp-server group <community> v1 To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode. 1. snmp-server enable 2. snmp-server user <username> v3 hash <auth-password> <priv-password> 3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash <auth-password> <priv-password>

Additional Identifiers

Rule ID: SV-242640r879588_rule

Vulnerability ID: V-242640

Group Title: SRG-APP-000142-NDM-000245

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.