I get asked a lot about the security implications of enabling SNMP. With most technology, there is a security cost in enabling any non-security related feature. This is true just about anytime you enable a service on a piece of hardware that allows people to access it from the network. So sure, the network would be more secure if we disabled all of the management protocols, web interfaces, and root passwords on our network devices. Problem is, we need to be able to manage and monitor these devices...

There are many ways to help secure SNMP on your network. I won't go into a lot of detail as there are several published whitepapers on this subject, but here are a few tips to keep in mind...

1. Don't use simple community strings. Don't use "public" or "private". Use a long character string that includes both numbers, letters, symbols and multiple cases. Don't make it some derivative of your company name - like "S0larW1nd5" that's the first thing an hold hacker like me would try...

2. Access lists - use them. More specifically, allocate a specific subnet to host your network management applications and call this your "management network". Then implement access lists on your devices so that SNMP, ICMP, Telnet, SSH, and any other management protocols that you're using are limited to this subnet. Don't limit it to just the IP address of your Orion server or a small list of hosts - you'll be coming back and changing it all the time.

3. Encryption - If you can, use SNMPv3. This will ensure that your SNMP traffic is encrypted. If you're managing devices across a public network, build a management VPN network and only send management traffic across the encrypted tunnels.

Anyways, that's all for now. Ping me if you have other suggestions or disagree on the above points.

p.s. Be sure that your network management applications support SNMPv3 or that it's at least on the roadmap before purchasing...

 

Flame on...
Josh