Chapter 2, "A Closer Look at SNMP" discussed the security issues with SNMPv1 and
SNMPv2. The biggest problem, of course, is that the read-only and
read-write community strings are sent as clear-text strings; the
agent or the NMS performs no encryption. Therefore, the community
strings are available to anyone with access to a packet sniffer. That
certainly means almost anyone on your network with a PC and the
ability to download widely available software. Does that make you
uncomfortable? It should.
Obviously, you need to take the same precautions with the community
strings that you would with your superuser or administrator
passwords. Choose community strings that are hard to guess.
Mixed-case alphanumeric strings are good choices for community
strings; don't use dictionary words. Although someone with the
read-only community string can't do as much damage as someone
with the read-write string, you might as well take the same
precautions for both. Don't forget to change your community
strings -- most devices ship with preconfigured community strings
that are extremely easy to guess.
That doesn't solve the problems
with packet sniffers. When you're configuring an agent,
it's a good idea to limit the devices that can make SNMP
requests (assuming that your agent allows you to make this
restriction). That way, even if someone gets the community strings,
he'll have to spoof the IP address of one of your management
stations to do any damage.
Of
course, many people know how to spoof IP addresses these days, and
it's not a really good idea to assume that you can trust your
employees. A better solution to the problem is to prevent the SNMP
packets from being visible on your external network connections and
parts of your network where you don't want them to appear. This
requires configuring your routers and firewalls with access lists
that block SNMP packets from the outside world (which may include
parts of your own network). If you don't trust the users of
your network, you may want to set up a separate administrative
network to be used for SNMP queries and other management operations.
This is expensive and inflexible -- it's hard to imagine
extending such a network beyond your core routers and
servers -- but it may be what your situation requires.
If you want to use SNMP to monitor
your network from home, be extremely careful. You do not want your
community strings traveling over the public Internet in an
unencrypted form. If you plan to use SNMP tools directly from home,
make sure to install VPN software, or some form of tunneling, to keep
your SNMP traffic private. A better approach to home monitoring is to
use a web interface; by using SSL, you can prevent others from seeing
your usage graphs. (No network-management products that we're
aware of support SSL out of the box; but they do allow you to
integrate with external servers, such as Apache, which do support
SSL).
SNMPv3
(discussed in Appendix F, "SNMPv3") fixes most of the
security problems; in particular, it makes sure that the community
strings are always encrypted. Unfortunately, there are very few
implementations of SNMPv3 out there. It's clear what direction
you want to head in, but you can't get there yet.
