STIGQter: STIG Summary: Juniper Router NDM Security Technical Implementation Guide Version: 1 Release: 5 Benchmark Date: 24 Jul 2020:

The Juniper router must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

DISA Rule

SV-101263r1_rule

Vulnerability Number

V-91163

Group Title

SRG-APP-000395-NDM-000310

Rule Version

JUNI-ND-001120

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure the router to authenticate SNMP messages as shown in the example below.

[edit snmp]
set v3 usm local-engine user R5_NMS authentication-sha authentication-password xxxxxxxxxx
set v3 target-address NMS_HOST address x.x.x.x

edit v3 target-address NMS_HOST
[edit snmp v3 target-address NMS_HOST]
set address-mask 255.255.255.0
set tag-list NMS
set target-parameters TP1
exit

[edit snmp]
set v3 target-parameters TP1 parameters message-processing-model v3
set v3 target-parameters TP1 parameters security-model usm
set v3 target-parameters TP1 parameters security-name R5_NMS
set v3 target-parameters TP1 parameters security-level authentication
set v3 snmp-community index1 security-name R5_NMS tag NMS
set v3 notify SEND_TRAPS type trap tag NMS

Check Contents

Review the router configuration to verify that it is compliant with this requirement as shown in the example below.

snmp {
v3 {
usm {
local-engine {
user R5_NMS {
authentication-sha {
authentication-key "$8$vOiLX-Vb2oaUwsJDiHmPz3690BcSevM"; ## SECRET-DATA
}
}
}
}
target-address NMS_HOST {
address x.x.x.x;
address-mask 255.255.255.0;
tag-list NMS;
target-parameters TP1;
}
target-parameters TP1 {
parameters {
message-processing-model v3;
security-model usm;
security-level authentication;
security-name R5_NMS;
}
}
notify SEND_TRAPS {
type trap;
tag NMS;
}
snmp-community index1 {
security-name R5_NMS;
tag NMS;
}
}
}

If the router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Vulnerability Number

V-91163

Documentable

False

Rule Version

JUNI-ND-001120

Severity Override Guidance

Review the router configuration to verify that it is compliant with this requirement as shown in the example below.

snmp {
v3 {
usm {
local-engine {
user R5_NMS {
authentication-sha {
authentication-key "$8$vOiLX-Vb2oaUwsJDiHmPz3690BcSevM"; ## SECRET-DATA
}
}
}
}
target-address NMS_HOST {
address x.x.x.x;
address-mask 255.255.255.0;
tag-list NMS;
target-parameters TP1;
}
target-parameters TP1 {
parameters {
message-processing-model v3;
security-model usm;
security-level authentication;
security-name R5_NMS;
}
}
notify SEND_TRAPS {
type trap;
tag NMS;
}
snmp-community index1 {
security-name R5_NMS;
tag NMS;
}
}
}

If the router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Check Content Reference

M

Target Key

3381

Comments