A popular protocol that is widely utilized for network management. SNMP (RFC 1157) can be very useful for network and systems administrators as it can provide real-time alerts and remote administration options (such as restarting a device over a network). On paper this protocol sounds like the perfect compliment to the IT professional, however it can actually cause more heartache then good if not planned and implemented properly. While reading this article please try not to get lost in the lingo and keep in mind that the basic point of SNMP is for communication between 2 machines.
How does SNMP work?
The Simple Network Management Protocol is part of the IP suite and resides on the applicaton layer of the OSI model. There are other aspects that define the protocol, including a database schema and data objects. The main components to any SNMP system are:
- Monitored/managed devices: The device that we want to manage
- SNMP Agent: Acts as the communicator between the NMS and Managed Device
- MIB (Management Information Bases): Decides which data to collect on the managed device
- Network management systems (NMSs): Collects the information about the managed device and can allow for remote management.
Operation Modes
There are 2 basic modes in which information can be collected. In the more generic form of SNMP you may have your NMS poll each managed device for information. This is fine unless you are managing a lot of devices, as response time would slow. To address this the other basic mode is to have the SNMP agent on the managed devices send the information to the NMS. This is also referred to as an SNMP Trap, because the agent is trapping the information and then sending a Trap (or INFORM) signal to the NMS. The NMS can then be configured to accept trap messages.
Security Considerations
It is important to note that SNMP is considered to be insecure and should not be used if not needed. There are ways to secure it, but first it is important to understand the vulnerabilities.
- There are 3 versions of SNMP, version 1, 2, & 3. The current and most highly recommended implementation is version 3.
- Versions 1 & 2 are passed over a network in clear text and only version 3 includes encryption.
- Windows 2003 utilizes only Versions 1 & 2.
- All versions of SNMP are vulnerable to brute force cracking
- If possible, do not use SNMP
- Use the most recent version of SNMP (v3) if supported
- If v1 or v2 is used, you may consider encrypting network traffic with ipsec
- Consider utilizing an administrative VLAN segregated away from a VLAN with workstations
- Do not use default community strings (you wouldn't use a generic password that everyone knows; this is the same concept)
- Use a community string that is not easily guessed or cracked (utilize numbers and special characters and absolutely no dictionary words)
- Restrict access to the agents to only the SNMP Management IP(s)
- If read/write access if not required then only allow Monitor access on the agent and, if hardware permits, on the switch.
- In conjunction with the previous bullet, if write access is not required and hardware permits then Disable the SET command, which allows the SNMP agent to be configured.
- If not needed, some hardware will allow you to disable the option for rebooting the device over the network.
- Lastly, consider the use of an IDS (Intrusion Detection System), as it can alert you of any malformed packets or traffic that is unusual or out of place.
SNMP can be a great tool for network management, assuming the need is there. There are other forms of network management which may be more suited to your needs, however if done correctly and securily SNMP is a viable option.
References
Wikipedia
Cisco
