Sidebar


Setting Up Secure SNMP

To help you securely deploy an SNMP read-only environment, each pollable device has its own configuration techniques. I'll demonstrate the procedures for setting up a Cisco (www.cisco.com) router and Empire Technologies (www.empiretech.com) SNMP daemon here. In general, these principles can be applied to other vendors' products, with different commands.

Setting up a Cisco router to be pollable, with read-only information, via SNMP involves two sets of commands. First you need to write an IP access-list, which is the list of IP addresses that are permitted to poll the Cisco router. For example:

access-list 99 permit 167.216.128.44
access-list 99 permit 167.216.137.43

This hasn't changed the behavior. It will change who can query the router's SNMP communities when applied. For instance, in this case the access-list allows only those addresses in it to access a read-only community called MyCommunityIsSecure:

snmp-server community MyCommunityIsSecure RO 99

In many configuration examples, you'll see public in place of MyCommunityIsSecure in this line, because public is the default configuration community name. To set up SNMP securely, use an ambiguous name—it's security by obscurity to be sure, but it's still important because it maximizes the security options available.

Setting up Empire Technologies SNMP daemon (available on NT and Solaris) securely requires that the configuration file line (/etc/sysedge.cf) is:

community MyCommunityIsSecure read-only 
   167.216.128.44 167.216.137.43

It has the same effects as the Cisco configuration above: There's a read-only community called MyCommunityIsSecure, and the information available via SNMP is available via SNMP to only two addresses: 167.216.128.44 and 167.216.137.43. All other devices asking to read the SNMP community will receive no data.

In both cases, protecting the network that has the router, switch, and server gear is equally important and can be accomplished by placing network access-lists on the ingress router interfaces to that network. For example, if the network that houses all the servers polled is on Ethernet0 on a Cisco router, use the following:

interface Ethernet0
  ip address 167.216.100.1 255.255.255.255
  ip access-group 102 out

  access-list 102 permit udp host 167.216.128.44 any 
    range snmp
access-list 102 permit udp host 167.216.137.43 any 
    range snmp
  [entries deleted for brevity]
  deny ip any any

This ensures that the network interface protects against other machines attempting to send SNMP information into any device on that network. This example doesn't include any other services that the network interface should allow, and should be modified to accommodate your design. —JS