| VID |
29151 |
| Severity |
40 |
| Port |
22 |
| Protocol |
TCP |
| Class |
CISCO |
| Detailed Description |
The CISCO IOS system does not apply SNMP ACL. If ACLs are not applied, then anyone with a valid SNMP community string may monitor and manage the router. An ACL should be defined and applied for all SNMP community strings to limit access to a small number of authorized management stations.
* Platforms Affected:
CISCO IOS |
| Recommendation |
Apply SNMP access control list as follows :
Allow specific hosts to access SNMP by using access-list (port:161,162)
Router# config terminal
Router(config)# access-list 100 permit ip host 100.100.100.100 any
Router(config)# access-list 100 deny udp any any eq snmp
Router(config)# access-list 100 deny udp any any eq snmptrap
Router(config)# access-list 100 permit ip any any
Router(config)# interface serial 0 (Set access-list to the interface for SNMP)
Router(config-if)# ip access-group 100 in
In case of switch device, set this to vlan
Router(config)# interface vlan1
Router(config-if)# ip access-group 100 in |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
