Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Is SNMP "risky"?

Howdy y'all,

We monitor most of our Cisco network devices with SNMP using devmon/xymon and cacti. We do this across a dedicated network management LAN. There are a few devices, primarily FWSM (firewall service modules) and ACE's that do not have network management LAN connections.

Our network team is balking at enabling SNMP for these devices on our production network.

I am just looking for feedback on whether having password protected read-only snmp enabled on our internal network is really risky or not? We need to be able to monitor these devices, and feel that it is not a real risk.

I am not an expert, but am hoping some of you can chime in with your thoughts? If this has been covered before, I apologize.

Craig Schar

Unix Admin

Health and Human Services Commission

Austin, TX

3 REPLIES
Bronze

Re: Is SNMP "risky"?

Depends on what version of SNMP you're using. If you use SNMP v2/2c, then yes it's risky. The SNMP community string (Password) along with the data in the packet are in clear text. Anyone with a sniffer can get the SNMP community string and use that to pull sensitive data from your devices. Everything from interface stats to security policies and device configs are available via SNMP.There are some steps you can take to limit what hosts can poll the device, but that doesn't protect the data in transit.

If you use SNMPv3, the risks are much lower. SNMPv3 uses user authentication (username and PW that's hashed) as well as encryption (DES). If you use these features, there's no more risk than having any other traffic on your network. You also have much more control over which OIDs can be polled when you use SNMPv3.

HTH

Blue

Re: Is SNMP "risky"?

It's not entirely clear between the lines, but if routers/switches are already open to SNMP, I don't understand the case against denying SNMP to firewalls or ACE-type gears. Without going to SNMPv3, all those types of devices are equally "safe" or "at risk". Maybe the network team's concern stems from the lack of NM LAN connection on the latters.

New Member

Re: Is SNMP "risky"?

The moment you enable SNMP as the name says “Simple Network Management Protocol” to an “un-trusted public” network I would be nervous if I am a network/security guy.

If you have SNMP on the private LAN it’s not so much an issue as your risk is limited and controlled, But when you allow this access to external parameter devices like firewalls I would think twice on the “risks and benefits”; If you must do this and assuming you have gone through the exercise of SNMP V3 and all the security ACL restrictions and all the encryptions, then you should implement or have proper logging /monitoring and alerting mechanisms in-place for your parameter devices to do pro-active alerting to you if and when your SNMP is under attack or compromised.

That would be my two cents.

Cheers

Daya Rajaratnam

441
Views
0
Helpful
3
Replies
CreatePlease to create content