Free DISA STIG and SRG Library | Vaulted

V-220501

The Cisco switch must be configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm.

Finding ID
CISC-ND-001140
Rule ID
SV-220501r604141_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000395-NDM-000310
CCI
CCI-000068
Target Key
(None)
Documentable
No
Discussion

Without the strong encryption that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information that can be used to create a network outage.

Fix Text

Configure the Cisco switch to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below: SW1(config)# snmp-server user NETOPS auth sha xxxxxxxxxxxxx priv aes-128 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Check Content

Review the Cisco switch configuration to verify that it is compliant with this requirement as shown in the example below: snmp-server user NETOPS auth sha 5Er23@#as178 priv aes-128 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Encryption used by the SNMP users can be viewed via the show snmp user command as shown in the example below: SW1# show snmp user ______________________________________________________________ SNMP USERS ______________________________________________________________ User Auth Priv(enforce) Groups acl_filter ____ ____ ___________ ______ __________ NETOPS sha aes-128 network-operator If the Cisco switch is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.