To help you securely deploy an SNMP read-only environment, each pollable device has its own configuration techniques. I'll demonstrate the procedures for setting up a Cisco (www.cisco.com) router and Empire Technologies (www.empiretech.com) SNMP daemon here. In general, these principles can be applied to other vendors' products, with different commands.
Setting up a Cisco router to be pollable, with read-only information, via SNMP involves two sets of commands. First you need to write an IP access-list, which is the list of IP addresses that are permitted to poll the Cisco router. For example:
access-list 99 permit 184.108.40.206
access-list 99 permit 220.127.116.11
This hasn't changed the behavior. It will change who can query the router's SNMP communities when applied. For instance, in this case the access-list allows only those addresses in it to access a read-only community called MyCommunityIsSecure:
snmp-server community MyCommunityIsSecure RO 99
In many configuration examples, you'll see public in place of MyCommunityIsSecure in this line, because public is the default configuration community name. To set up SNMP securely, use an ambiguous nameit's security by obscurity to be sure, but it's still important because it maximizes the security options available.
Setting up Empire Technologies SNMP daemon (available on NT and Solaris) securely requires that the configuration file line (/etc/sysedge.cf) is:
community MyCommunityIsSecure read-only 18.104.22.168 22.214.171.124
It has the same effects as the Cisco configuration above: There's a read-only community called MyCommunityIsSecure, and the information available via SNMP is available via SNMP to only two addresses: 126.96.36.199 and 188.8.131.52. All other devices asking to read the SNMP community will receive no data.
In both cases, protecting the network that has the router, switch, and server gear is equally important and can be accomplished by placing network access-lists on the ingress router interfaces to that network. For example, if the network that houses all the servers polled is on Ethernet0 on a Cisco router, use the following:
interface Ethernet0 ip address 184.108.40.206 255.255.255.255 ip access-group 102 out access-list 102 permit udp host 220.127.116.11 any range snmp access-list 102 permit udp host 18.104.22.168 any range snmp [entries deleted for brevity] deny ip any any
This ensures that the network interface protects against other machines attempting to send SNMP information into any device on that network. This example doesn't include any other services that the network interface should allow, and should be modified to accommodate your design. JS