|
Don'ts of snmp configuration |
|
|
|
Written by Saskia Jean-Schroders,
Monday, 01 May 2006
|
|
A lot of monitoring tools use SNMP, which stands for Simple Network Management Protocol. In order to allow these tools to work correctly, SNMP has to be configured on your servers or network devices. Changeable settings are, for example, community strings, trap destinations and allowed hosts or managers. You probably all know and agree to the don’ts listed in this article, but in real life I often encounter SNMP configurations that make me wonder whether the administrator has even thought about them. Therefore, to make the “Simple” a bit more simple:
Don’t use “public” and “private” as community strings
By default, “public” is set as the read-only community string and “private” is set as the read-write string. Everybody knows that, so how secure are these strings? I suppose you know the answer to that question.
Don’t allow “Any host” SNMP access
The Windows SNMP service is set by default to allow “Any host” SNMP access to your server. Hmm, is that what you really want? Don’t you know exactly which servers are allowed to access your server with SNMP? Then configure your SNMP service to grant only those IP-addresses access to your server.
Don’t make your community string too easy
Your company might have policies about creating passwords. They might include:
- use a mix of upper case and lower case letters
- use at least one number or a special character
- use at least an x number of characters
- don’t use a password that is an actual word
As the SNMP community string is kind of a password, why not use the same. Looks great when you are audited by a security officer as well!
Don’t make your community string too long
Not all monitoring tools can handle SNMP community strings of more than 15 characters. So limit your strings to 15 or less. Would you say a SNMP string is really more secure with 16 difficult characters than with 12 difficult characters? Remember SNMP is sent over the network in flat text; a sniffer would catch 16 just as easily as 12.
Don’t allow read-write when read-only is enough
If monitoring tools can do their job correctly with read-only access, then grant only read-only access. Why hand out more power than is needed? This can only be realized if you follow the next Don’t on this list.
Don’t use the same community string for read-only and read-write access
If your read-only string is the same as the read-write string, then everybody who has the right to read the SNMP information from your server, can also change values on your server. Isn’t it logical to set different passwords to different rights?
Don’t forget to remove out-of date settings
SNMP settings don’t change all the time, but there are cases where you should remember to adjust them:
- a trap destination is no longer valid
- a host/manager is no longer valid and no longer needs SNMP access
- system location or contact have changed
- server management is going to be performed by another (external) party
Don’t say SMTP when you mean SNMP
This is a rather silly one, I agree, but it happens more than you might think, even among administrators. SMTP stands for Simple Mail Transfer Protocol, and of course, the first and the last words are the same. Is that the reason for the confusion?
Don’t think this list is exhaustive
It isn’t an exhaustive list. It is just meant as a reminder for administrators, so they can improve the security and functioning of SNMP in their infrastructure.
Saskia Jean-Schroders
April 29th 2006 |
