Is SNMP "risky"?

Unanswered Question
Aug 10th, 2010

Howdy y'all,

We monitor most of our Cisco network devices with SNMP using devmon/xymon and cacti. We do this across a dedicated network management LAN. There are a few devices, primarily FWSM (firewall service modules) and ACE's that do not have network management LAN connections.

Our network team is balking at enabling SNMP for these devices on our production network.

I am just looking for feedback on whether having password protected read-only snmp enabled on our internal network is really risky or not? We need to be able to monitor these devices, and feel that it is not a real risk.

I am not an expert, but am hoping some of you can chime in with your thoughts? If this has been covered before, I apologize.

Craig Schar

Unix Admin

Health and Human Services Commission

Austin, TX

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rtjensen4 Tue, 08/10/2010 - 10:39

Depends on what version of SNMP you're using. If you use SNMP v2/2c, then yes it's risky. The SNMP community string (Password) along with the data in the packet are in clear text. Anyone with a sniffer can get the SNMP community string and use that to pull sensitive data from your devices. Everything from interface stats to security policies and device configs are available via SNMP.There are some steps you can take to limit what hosts can poll the device, but that doesn't protect the data in transit.

If you use SNMPv3, the risks are much lower. SNMPv3 uses user authentication (username and PW that's hashed) as well as encryption (DES). If you use these features, there's no more risk than having any other traffic on your network. You also have much more control over which OIDs can be polled when you use SNMPv3.


yjdabear Tue, 08/10/2010 - 19:56

It's not entirely clear between the lines, but if routers/switches are already open to SNMP, I don't understand the case against denying SNMP to firewalls or ACE-type gears. Without going to SNMPv3, all those types of devices are equally "safe" or "at risk". Maybe the network team's concern stems from the lack of NM LAN connection on the latters.

dayar Wed, 08/11/2010 - 16:32

The moment you enable SNMP as the name says “Simple Network Management Protocol” to an “un-trusted public” network I would be nervous if I am a network/security guy.

If you have SNMP on the private LAN it’s not so much an issue as your risk is limited and controlled, But when you allow this access to external parameter devices like firewalls I would think twice on the “risks and benefits”; If you must do this and assuming you have gone through the exercise of SNMP V3 and all the security ACL restrictions and all the encryptions, then you should implement or have proper logging /monitoring and alerting mechanisms in-place for your parameter devices to do pro-active alerting to you if and when your SNMP is under attack or compromised.

That would be my two cents.


Daya Rajaratnam


This Discussion