Making SNMP Secure On Your Cisco Devices
While working with a client on a problem, I suggested we enable SNMP version 2 on some older equipment to get better visibility while we worked on the problem. He immediately said, “No way!! I read that SNMP is insecure and can cause all sorts of issues”. SNMP version 3 wasn’t supported by all devices and takes a bit longer to setup. Since this wasn’t meant to be a permanent solution SNMP v2 will do just fine.
I explained that whatever he read is probably true but it depends how you configure it and how your network behaves with it. Enabling SNMP is a temporary recommendation for the duration of our troubleshooting engagement and we can always turn it off when we are done with it.
I started to draw a simple network diagram of his network and identified that his firewalls don’t allow SNMP from the internet so that possible issue is covered.
I then showed him some Cisco configuration commands to prevent SNMP traffic from devices and networks that we can specify.
The Cisco commands look like this;
snmp-server community notpublic RO 99
The above command enables and configures the snmp service with a read only string of notpublic. The 99 refers to an access list where we control what devices have permission to perform SNMP queries.
access-list 99 permit 10.44.10.0 0.0.0.255
With this command we define that access-list 99 only allows devices from subnet 10.44.10.0
You should test by performing an SNMP query with your network management tool to ensure that is has access but you should ensure that unauthorized devices do not have access.
You can get an idea if your access list is working as well with the following Cisco command;
show access-list 99
Standard IP access list 99
10 permit 10.44.10.0, wildcard bits 0.0.0.255 (684 matches)
The same points apply to Microsoft (plus WMI) or other devices. Take the time to determine how you can get more data from your devices while troubleshooting or baselining.