SNMP and Security
As many customers says that SNMP isn’t secure and asking if there is another way to monitor. SNMPv3 is more secure but it isn’t supported on more devices
The Simple Network Management Protocol (SNMP) defines a method by which the Network Management System (WhatsUp Gold) can view management information for a device (Router, Switch, Server, etc…).
SNMP is based on three concepts: managers, agents, and the Management Information Base (MIB). In any configuration, at least one manager node runs SNMP management software. Network devices to be managed, such as bridges, routers, servers, and workstations, are equipped with an agent software module. The agent is responsible for providing access to a local MIB of objects that reflects the resources and activity at its node.
SNMP Community Strings
The Community acts a type of password for SNMP. The Community strings are stored in the SNMP configuration of the SNMP client and it will only respond to SNMP requests from an NMS if it the requesting IP packet contains a matching Community String.
To get information from the SNMP enabled devices, we need to have read-only access where no SNMP management is allowed with this Community. SNMP information can be returned to the NMS, but it cannot be modified.
SNMP Versions
Neither SNMPv1 nor SNMPv2 offers security features. Specifically, SNMPv1/v2 can neither authenticate the source of a management message nor provide encryption. Without authentication, it is possible for non-authorized users to eavesdrop on management information as it passes from managed systems to the management system.
SNMPv3 primarily added security and remote configuration enhancements to SNMP.
- It encrypts the packets to prevent snooping by an unauthorized source.
- It requires authentication to verify that the message is from a valid source.
Securing SNMP connection
1. Read only
Because of these deficiencies, many SNMPv1/v2 implementations are limited to simply a read-only capability, reducing their utility to that of a network monitor; no network control applications can be supported.
2. Access-Control List
We can secure SNMP connection by using Access-Control lists. On a large number of devices that support SNMP, a second tier of security is provided by Access Control Lists. This is a simple list of IP addresses (or DNS names) that can be configured into the SNMP client. The network node will only respond to SNMP requests that are sourced from an IP address that is on the access-control list and other SNMP requests will be ignored. Access-control lists should be restricted to contain only the IP addresses of the valid NMS for each network.
Summary
We can summarize all the above in the next points:
- SNMP version 1 and 2 transfer the data in the form of clear text without encryption.
- SNMP version 3 added more security and data encryption.
- WhatsUp Gold needs only Read-only access to get information and Write used only if there is a need.
- SNMPv1/v2 implementations are limited to simply a read-only capability.
- Access control list makes limit on accessing the monitored devices.