Solved: Snmp Monitoring

mialbert · ‎06-02-2010

I have a situation where i need to do snmp monitoring from a central location to a number of remote site servers, switches, routers etc. I originally set this up via ipsec vpn's between the central site c1841 and the remote site pix 501 and 506's, and c1800's. The ipsec vpn's will renegotiate their sa's and when doing this will drop the vpn and then false positives will be generated. Have tried to resolve this with keepalives and other methods but it still happens. I've also done this through assigning a static nat translation on the remote site and opening up the router/firewall for snmp(udp 161)from our central location and this works with no issues. I'm wondering if i need to be concerned about security with this method. The data being transferred is device statistical information and status and i'm assigning the snmp level as read only on a different community name than the default. wondering if this is an accepted method and how most people do this

Calin C. · ‎06-02-2010

The situation of an attack like man in the middle is always a possibility if you transport data over Internet, even from your service provider (now I believe that you should trust your provider, honestly), but sometimes you just have to live with it. Next, very important, what information are you transferring.For you, I believe that is only some statistics not necessary confidential data. Then SNMP is UDP which is making this less prone to an attack. Then you have your SNMP with read-only rights, so even in the case that somebody is so bored that he's capturing your data, what can it do with it. Nothing.

What I would worry more, is to secure the UDP 161 port with some ACL permitting access only from your monitoring system, to avoid DDoS attacks.

Yes if would be more secure to have some tunnel over internet to collect data, but IF YOU CANNOT, than this should be fine. Most of the companies that monitor small sites, are transfering data over Internet without any secure tunnel. Big companies, have usually or the monitoring system in the Intranet.

I hope this answer to your question. Is this 100% secure and always recommended? NO, but then nothing is 100% secure and sometimes you have to live with it.

View solution in original post

Calin C. · ‎06-02-2010

The situation of an attack like man in the middle is always a possibility if you transport data over Internet, even from your service provider (now I believe that you should trust your provider, honestly), but sometimes you just have to live with it. Next, very important, what information are you transferring.For you, I believe that is only some statistics not necessary confidential data. Then SNMP is UDP which is making this less prone to an attack. Then you have your SNMP with read-only rights, so even in the case that somebody is so bored that he's capturing your data, what can it do with it. Nothing.

What I would worry more, is to secure the UDP 161 port with some ACL permitting access only from your monitoring system, to avoid DDoS attacks.

Yes if would be more secure to have some tunnel over internet to collect data, but IF YOU CANNOT, than this should be fine. Most of the companies that monitor small sites, are transfering data over Internet without any secure tunnel. Big companies, have usually or the monitoring system in the Intranet.

I hope this answer to your question. Is this 100% secure and always recommended? NO, but then nothing is 100% secure and sometimes you have to live with it.

mialbert · ‎06-02-2010

thanks calin. this is just what i was after. thanks