STIGQter: STIG Summary: WLAN Controller Security Technical Implementation Guide (STIG) Version: 6 Release: 15 Benchmark Date: 26 Apr 2019:

The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.

DISA Rule

SV-3196r4_rule

Vulnerability Number

V-3196

Group Title

An insecure version of SNMP is being used.

Rule Version

NET1660

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If SNMP is enabled, configure the network device to use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography (i.e., SHA authentication and AES encryption).

Check Contents

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption.

Downgrades:
If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II.

If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III.

If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.

If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Vulnerability Number

V-3196

Documentable

False

Rule Version

NET1660

Severity Override Guidance

Review the device configuration to verify it is configured to use SNMPv3 with both SHA authentication and privacy using AES encryption.

Downgrades:
If the site is using Version 1 or Version 2 with all of the appropriate patches and has developed a migration plan to implement the Version 3 Security Model, this finding can be downgraded to a Category II.

If the targeted asset is running SNMPv3 and does not support SHA or AES, but the device is configured to use MD5 authentication and DES or 3DES encryption, then the finding can be downgraded to a Category III.

If the site is using Version 1 or Version 2 and has installed all of the appropriate patches or upgrades to mitigate any known security vulnerabilities, this finding can be downgraded to a Category II. In addition, if the device does not support SNMPv3, this finding can be downgraded to a Category III provided all of the appropriate patches to mitigate any known security vulnerabilities have been applied and has developed a migration plan that includes the device upgrade to support Version 3 and the implementation of the Version 3 Security Model.

If the device is configured to use to anything other than SNMPv3 with at least SHA-1 and AES, this is a finding. Downgrades can be determined based on the criteria above.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1538

Comments