Are you ready to take advantage of the new security features of SNMPv3 (Simple Network Management Protocol)? Many users of SNMP know that SNMPv3 is more secure than the previous versions, SNMPv1 and SNMPv2c, but may not know the details about SNMPv3 and/or the key steps to successfully implementing the protocol.
A Little Bit About SNMPv3
The release of SNMPv3 is set to address security deficiencies and provide a proper framework for securing access, authentication and control. SNMPv3 is not a stand-alone replacement for version 1 or 2, but rather an added security ability to be used in conjunction with SNMPv2 (ideal) or SNMPv1. Additionally, it is important to understand the primary or core responsibilities of SNMP and the associated agents. The device agent is tasked to collect and maintain information about the local environment. The agent will provide that information to a manager in the form of a response to a request or in an unsolicited method when something significant happens to the device. Lastly, the agent can respond to a manager’s command to alter the device’s configuration or operating parameter.
One of the key components of SNMP is the Management Information Base (MIB) which is a virtual database used for managing devices on a given network. This virtual database can refer to the complete collection of management information on a certain device. Typically, a Network Management System (NMS), such as NeuralStar that provides full SNMPv3 support can query or look-up information on a device’s MIB and retrieve metrics or other analytics. When adopting or implementing SNMPv3 the security subsystem of the protocol can prevent unauthorized users from accessing a MIB or parts of a MIB. Additionally, usage of version 3 can ensure that authorized users retrieve and update information from only the parts of the MIB that they are allowed to view. With that background out of the way, here is a list of recommended or supplemental procedures for implementing SNMPv3.
Keys to Successfully Implementing SNMPv3
1. Disable SNMPv1 and SNMPv2c/2.5 from any critical or network edge devices
2. Update network devices or servers to ensure full compatibly with SNMPv3
3. Develop role based management system where restriction or access to configurations, monitoring, metrics, or reporting is based upon an operating role
4. Develop a separate management VLAN to be used locally and to transport all SNMPv3 traffic back and forth between the agents and managers
5. Ensure the SNMPv3 implementation meets guidelines set forth by regulatory demands such as HIPAA, PCI, FERPA, SOX, GBLA, DoD, FIPS/NIST, and FISMA (including setting privacy to AES 256)
6. Filter ingress/egress SNMP traffic at the network edge and limit internal SNMP traffic with Access Control Lists (ACLs)
7. If possible, make any critical network device and especially edge device MIBs read-only
8. Verify that no “public” or “private” community strings still exist on any network device, including printers or other headless devices
Let us know if you have any specific recommendations we didn’t mention or if you have any questions about SNMPv3, contact us at firstname.lastname@example.org.