Learn how to ensure the security of the SNMP service

Source: Internet
Author: User

When using the SNMP service, pay attention to its security. Therefore, in the operation, ensuring the security of the SNMP service is also the focus of our study. If it is really necessary for some devices to run SNMP, you must ensure the security of these devices.

The first thing to do is to determine which devices are running the SNMP service. Unless port scanning is performed on the entire network on a regular basis to fully master the services running on each machine and device, one or two SNMP services may be omitted.

Note that devices such as network switches and printers also run the SNMP service. Determine the running status of the SNMP service, and then take the following measures to ensure service security.

■ Load SNMP Service Patches
Install the patch of the SNMP service to upgrade the SNMP service to version 2.0 or later. Contact the device manufacturer to learn about security vulnerabilities and patch updates.

■ Protect SNMP communication strings
An important protection measure is to modify all default communication strings. Check and modify standard and non-standard communication strings one by one according to the instructions in the device documentation. Do not omit any character strings. If necessary, contact the manufacturer for detailed instructions.

■ Filter SNMP
Another protection measure that can be used is to filter SNMP communication and requests on the network border, that is, block the port used by SNMP requests on the firewall or VBR. Standard SNMP services use ports 161 and 162. Vendor-proprietary implementations generally use ports 199, 391, 705, and 1993.

After these ports are disabled, the ability of the external network to access the internal network is limited. In addition, you should write an ACL on the vro of the internal network, only a specific trusted SNMP management system is allowed to operate SNMP. For example, the following ACL only allows SNMP communications from or to the SNMP Management System and limits all other SNMP communications on the network:
 

 
 
  1. access-list 100 permit ip host w.x.y any   
  2. access-list 100 deny udp any any eq snmp   
  3. access-list 100 deny udp any any eq snmptrap  
  4. access-list 100 permit ip any any 

The first line of this ACL defines the trusted management system w. x. y ). Use the following command to apply the preceding ACL to all network interfaces:
 

 
 
  1. interface serial 0   
  2. ip access-group 100 in 

In short, the invention of SNMP represents a major improvement in network management, and it is still a powerful tool for efficient management of large networks.

However, earlier versions of SNMP are inherently insecure, even if the latest version has problems. Like other services running on the network, the security of the SNMP service cannot be ignored. Do not blindly ensure that the SNMP service is not running on the network. Maybe it hides on a certain device.

Network services that are essential already have too many worrying security issues, so it is best to disable services that are not necessary such as SNMP-at least try to ensure their security.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.