Thursday, April 4, 2013

Is Enabling SNMP Worth the Security Risks?


Does SNMP open a hole? Well, kindof. Is it worth it? If it's configured right, YES!

The data that can be collected from switches and routers via SNMP for monitoring and analysis is completely invaluable. Information such as port utilization, device connectivity, errors, packet drops, discards, and other critical network health statistics are available with SNMP, but only if it is enabled!
Most switches and routers these days (even the cheaper home networking ones) support SNMP.
However there is still the idea floating around out there that enabling it will make a network vulnerable to security attacks. Also, some published material out there in cyberspace makes the claim that enabling SNMP will make your network unsecure. It is true that enabling SNMP on switches and routers will open a door into their management, however, there are a couple ways that we can lock up SNMP pretty tight and get the full benefits of having monitoring on the network.

1. Community string with access list.
A community string is basically an SNMP password on SNMPv1/v2. By default it is the word “public” – be sure to change this to something else. Also, an access list can be used to restrict SNMP access to only the machines that are managing the switches. To do this on a Cisco switch or router, this is a basic command sequence:
 
switch(config)# access-list 11 permit 10.0.0.100
switch(config)# snmp-server community m0n1t0r ro 11
 
Be aware that with SNMP v1 and v2, if this management traffic is captured on the network by a packet analyzer, the community string can be easily decoded. If that situation is highly unlikely, or not too much of a concern to you, then proceed in using v1/v2 as several companies do.

2. SNMP v3.
 
The risks of data interception with v1 and v2 has moved many engineers to implement SNMP v3 on their networks. This version offers restricted user access, view configuration, and most importantly, data encryption in transit. However, v3 is more involved and requires more switch configuration. Below is a simple example.
 
switch(config)# access-list 11 permit 10.0.0.100
switch(config)# snmp-server group admins v3 auth read V3Read write V3Write
switch(config)# snmp-server user root admins v3 auth md5 m0n1t0r access 11
switch(config)# snmp-server view V3Read iso included
switch(config)# snmp-server view V3Write iso included

If SNMPv3 is configured on a switch, make sure to disable v1 and v2. If these are still enabled, they can still be used to access the switch, even if v3 is also enabled.

Either of these configurations will allow SNMP information to be accessed by several great analysis tools out there, both vendor supported and open source. Just make sure that the address of the analysis tool is a part of the access list.

So is SNMP worth the possible security hole? Yes, but only if it is properly configured.
 

No comments:

Post a Comment