Knowing the Vulnerabilities is Key.
From what I have seen in my years of network management, there is a good deal of misunderstandings surrounding implementing SNMP. The procedures for basic implementation are well understood, but the problems with using default settings and broadcasting SNMP are not well known. Considering that SNMP is used to manage most every network, making sure that you secure access to SNMP is critical. Here are the areas I believe you should check in your network.
Proper Use of Community Strings.
Community strings are a type of password. They control access to Management Information Bases (MIBs) and define the level of access. Here is where one of the problems occurs. Now I don't have a scientific poll, but I am willing to bet if you asked a group of network engineers what the SNMP v2c community strings are, a good number of them would answer, "public and private". The correct answers are read only and read/write.
This misunderstanding happens because the default settings for read only and read/write are "public" and "private". When SNMP v2c is enabled, most devices will populate the read only and read write community string fields with these defaults. I have seen more than once where the Network Management System (NMS) SNMP strings were then set to public and private to allow the NMS to communicate with the devices. Here are a few things you can do to increase the level of security on SNMP v2c.
Best Practices to Avoid SNMP Security Issues.
- Never use default community strings on devices or your NMS.
- Use unique community strings by geography or by device function. For example, create unique community strings for WAN access devices, EMEA area devices, data center devices, etc. SNMP v2c community strings are passed in plain text, so this way if one area or device type becomes compromised, the rest of the network is not compromised.ove
- Run a scheduled discovery for devices using the default community strings as well as the discoveries using valid strings. Once you have a discovery for devices answering to default strings, add an alert for that condition. This automates locating and taking action to correct these devices. You will want to give your network security a heads-up as a scan for default community strings may trigger alerts in security devices.
- Use automated network configuration management. While default community strings are a security issue, the root cause lies in configuration management weaknesses.
- Use an automated policy compliance reporting package to demonstrate compliance with internal and external policy requirements.
NPM network monitoring software discovers devices with default community strings and alerts on the issue. NCM offers extensive configuration management and compliance reporting.
If you are ready for the jump to SNMP v3, check out this technical reference.