Simple Network Management Protocol (SNMP) has been around since it was first defined in RFC 1067 in late 1988. Since that time, it has gone through two major revisions. Before we get to v3, let’s take a look at the other two version and what they accomplished.
SNMP v1 defined a structured communication for managing devices from a central manager. An SNMP agent was installed on managed devices. This agent receives information from the managed device and relays the information to the manger. Version 1 was limited in functionality (GET, GETNEXT, SET and TRAP). Version 1 is able to ask for one object at a time. If the manager needed thirty objects from the agent, at had to ask thirty times; resembling a conservation with a three year old.
SNMP v2 added the ability to make a bulk request (GETBULK). Here, SNMP manager sends GETBULK request for several objects and the SNMP agent answers back with as much information per packet as it can. Although this is a large improvement in efficiency, v1 and v2 had almost no built in security. Both v1 and v2 used the concept of a community string as a weak security mechanism. The community string is set in the manager software and is passed over the wire in plain text. When SNMP had very little capability, this was not problematic. As vendors began adding more SNMP SET commands to device agents, this became an issue. Simply by sniffing the community string and sending SET commands a hacker could take down a device or even a network!
Version v3 was created to address the community string security weakness by defining several security measures. These include the following:
- Data encryption – no more plain text.
- User-based Security Model (USM) - users have as-needed access for read, read/write and to? specific managed devices
- View-based access control – users are further restricted to administrator created views.
- Timing mechanisms to prevent SNMP command record and playback.
So, what can SNMP v3 do for you? SNMP v3 really closes the door on SNMP security concerns by:
- Preventing hackers access to SNMP commands using encryption and timing restrictions.
- Allowing you to assign SNMP capabilities according to user needs on as-needed access.
For more details on SNMP v3 implementation see