The Juniper SRX Services Gateway must securely configure SNMPv3 with privacy options to protect the confidentiality of nonlocal maintenance and diagnostic communications using SNMP.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-223226	SRG-APP-000412-NDM-000331	JUSX-DM-000149	SV-223226r1056109_rule	2024-12-20	3

Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. To protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption must be configured to provide confidentiality. The Juniper SRX allows the use of SNMPv3 to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DOD-required version but must be configured to be used securely.

Description

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. To protect the confidentiality of nonlocal maintenance sessions, SNMPv3 with AES encryption must be configured to provide confidentiality. The Juniper SRX allows the use of SNMPv3 to monitor or query the device in support of diagnostics information. SNMP cannot be used to make configuration changes; however, it is a valuable diagnostic tool. SNMP is disabled by default and must be enabled for use. SNMPv3 is the DOD-required version but must be configured to be used securely.

ℹ️ Check
Verify SNMPv3 is configured with privacy options. [edit] show snmp v3 If SNMPv3 is not configured using AES, and other privacy options are not configured, this is a finding.

✔️ Fix
Configure SNMP to use version 3 with privacy options. The following is an example. [edit] set snmp location <NAME> set snmp v3 usm local-engine user <NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <NAME> group <NAMEGROUP> set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy notify-view all

✔️ Fix

Configure SNMP to use version 3 with privacy options. The following is an example. [edit] set snmp location <NAME> set snmp v3 usm local-engine user <NAME> privacy-AES128 set snmp v3 vacm security-to-group security-model usm security-name <NAME> group <NAMEGROUP> set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy read-view all set snmp v3 vacm access group <NAME-GROUP> default-context-prefix security-model usm security-level privacy notify-view all