STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

DISA Rule

SV-220500r604141_rule

Vulnerability Number

V-220500

Group Title

SRG-APP-000395-NDM-000310

Rule Version

CISC-ND-001130

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure the Cisco switch to authenticate SNMP messages as shown in the example below:

SW1(config)# snmp-server user NETOPS auth sha xxxxxxxxxxxxxxxxx
SW1(config)# snmp-server host 10.1.48.10 traps version 3 auth NETOPS

Check Contents

Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below:

snmp-server user NETOPS network-operator auth sha 0xb40efa3f311006de39b9d0725e663277d84ca332 localizedkey
snmp-server host 10.1.48.10 traps version 3 auth NETOPS

Authentication used by the SNMP users can be viewed via the show snmp user command as shown in the example below:

SW1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups acl_filter
____ ____ ___________ ______ __________
NETOPS sha no network-operator

If the Cisco switch is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Vulnerability Number

V-220500

Documentable

False

Rule Version

CISC-ND-001130

Severity Override Guidance

Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below:

snmp-server user NETOPS network-operator auth sha 0xb40efa3f311006de39b9d0725e663277d84ca332 localizedkey
snmp-server host 10.1.48.10 traps version 3 auth NETOPS

Authentication used by the SNMP users can be viewed via the show snmp user command as shown in the example below:

SW1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________

User Auth Priv(enforce) Groups acl_filter
____ ____ ___________ ______ __________
NETOPS sha no network-operator

If the Cisco switch is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.

Check Content Reference

M

Target Key

4066

Comments