People are always asking us about SNMP and security.
We recently ran across this quick tip from Tony Fortunato of Lovemytool.com and knew we had to share it.
While working with a client recently, Fortunato had a conversation about potential security risks when enabling SNMP V2. He explained that, while the security risks are likely true, it depends on how you configure it combined with how your network behaves with it. And, ultimately, it’s a temporary solution which can simply be turned off after it is no longer needed.
As Fortunato explains, there are options for making SNMP more secure:
I started to draw a simple network diagram of his network and identified that his firewalls don’t allow SNMP from the internet so that possible issue is covered.
I then showed him some Cisco configuration commands to prevent SNMP traffic from devices and networks that we can specify.
The Cisco commands look like this;
snmp-server community notpublic RO 99
The above command enables and configures the snmp service with a read only string of notpublic. The 99 refers to an access list where we control what devices have permission to perform SNMP queries.
access-list 99 permit 10.44.10.0 0.0.0.255
With this command we define that access-list 99 only allows devices from subnet 10.44.10.0
You should test by performing an SNMP query with your network management tool to ensure that is has access but you should ensure that unauthorized devices do not have access.
You can get an idea if your access list is working as well with the following Cisco command;
show access-list 99
Standard IP access list 99
10 permit 10.44.10.0, wildcard bits 0.0.0.255 (684 matches)
The same points apply to Microsoft (plus WMI) or other devices.
Fortunato goes on say that it’s important to determine how you can get more data from your devices while troubleshooting or baselining.
We hope you enjoyed this quick tip on SNMP and security!