The Riverbed NetIM must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-275488	SRG-APP-000395-NDM-000310	RIIM-DM-000049	SV-275488r1147514_rule	2025-09-29	1

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. The IP Detection Service tracks IP addresses (IPs) in the network and allows a user to query an IP address to determine the switch port to which a network device is connected. SNMP access to devices and a read-only community string (or equivalent SNMP v3 credentials) are required for the IP Detection Service to function. Community strings/credentials stored on NetIM are encrypted.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. The IP Detection Service tracks IP addresses (IPs) in the network and allows a user to query an IP address to determine the switch port to which a network device is connected. SNMP access to devices and a read-only community string (or equivalent SNMP v3 credentials) are required for the IP Detection Service to function. Community strings/credentials stored on NetIM are encrypted.

ℹ️ Check
Verify NetIM is configured to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, verify the following is configured: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512 Priv Protocol = <cipher_protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 If SNMP messages are not authenticated using a FIPS-validated HMAC, this is a finding.

ℹ️ Check

Verify NetIM is configured to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, verify the following is configured: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512 Priv Protocol = <cipher_protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 If SNMP messages are not authenticated using a FIPS-validated HMAC, this is a finding.

✔️ Fix
Configure NetIM to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, select the following: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512. Priv Protocol = <protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 Note: FIPS compliance requires Version 2.10 or higher and a Ubuntu Pro license, both of which are covered in other CAT 1 requirements.

✔️ Fix

Configure NetIM to authenticate SNMP messages using a FIPS-validated HMAC. 1. In the GUI, navigate to Configure >> All Settings >> Discover >> Global Discovery Settings. 2. Click "SNMP v3 Credentials". 3. In the Add SNMP v3 Credentials box, select the following: Security Level menu = AUTH_PRIV Auth Protocol = <protocol> Where <protocol> is one of the following for Auth Protocol HMAC192_SHA256, HMAC256_SHA384, or HMAC384_SHA512. Priv Protocol = <protocol> Where <protocol> is one of the following for Priv Protocol CFB_AES_192, CFB_AES_256 Note: FIPS compliance requires Version 2.10 or higher and a Ubuntu Pro license, both of which are covered in other CAT 1 requirements.