1. Home
  2. Cisco Systems
  3. SNMP safe?

SNMP safe?

Hi,

If I configure a SNMP community on a Cisco switch for remote management,

Say,

"paul" with read write.

Is that switch vulnerable to anyone guessing the SNMP community name?

In the SNMP config I see no way of securing SNMP - only by community name.

What is the usual practice for configuring SNMP on network devices? Should I be choosing long and cryptic SNMP community names? Even then am I completely protected? This seems a very powerful tool to only be protected by the equivalent of a workgroup name. The community name also seems to be in plain text on all config pages.

Thanks

Paul

Reply to
thefunnel
Loading thread data ...

A few tips: - Use a proper ACL to restrict access and a complex community string - Use SNMP version 3 if possible so that the credentials are encrypted - Restrict access to certain OIDs with an SNMP view

i th>Hi,

Reply to
blackice

You can protect the switch somewhat with an ACL, or put the management address in a VLAN that Joe Public can't get to.

BL

Reply to
Buzz Lightbeer

In article , snipped-for-privacy@aol.com wrote: :If I configure a SNMP community on a Cisco switch for remote :management,

:Is that switch vulnerable to anyone guessing the SNMP community name?

Yes, certainly, if you are using SNMP versions 1 or 2.

SNMP v1 and v2 send the community "in the clear" so anyone who can sniff can read off the community. This is a particular problem if you are using some kind of device discovery program that sweeps your network looking for devices and probing them via SNMP to figure out what they are and (e.g.) what interfaces they have -- if you are doing a sweep like that, then every device on your net will be sent the SNMP community "in the clear" if you are using v1 or v2 .

:In the SNMP config I see no way of securing SNMP - only by community :name.

:What is the usual practice for configuring SNMP on network devices?

Use SNMP v3, which has a few security levels, including encrypting the password.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.