How can we ensure the security of the snmp protocol when the snmp protocol service is enabled? First, we need to update the Protocol patch in time, and then filter the Protocol process. For more information about the implementation, see the following.
Security of snmp
If some devices do need to run snmp, do they have to be secure? The first thing to do is to determine which devices are running the snmp service? Unless port scanning is performed on the entire network on a regular basis, do you have full control over each machine? Services running on the device. Otherwise, it is very likely that one is missing? Two snmp protocol services? Note: What are the network switches? Will devices like printers also run the snmp service? After determining the running status of the snmp service, what measures should be taken to ensure service security?
◆ Load patches for the snmp service
Install the patch for the snmp protocol service to upgrade the snmp service to version 2.0 or higher? Contact the device manufacturer to learn about security vulnerabilities and patch upgrades?
◆ Protect snmp communication strings
Is it important to modify all default communication strings? Check one by one according to the instructions in the device documentation? Modify the standard? Do not omit any non-standard communication string. If necessary, contact the manufacturer for detailed instructions?
◆ Filtering snmp
Another protection measure that can be adopted is to filter snmp communication and requests on the network border, that is, blocking the port used by snmp requests on the firewall or the border router? The standard snmp Service uses ports 161 and 162. The vendor's private implementation generally uses ports 199? 391? Ports 705 and 1993? After these ports are disabled, the ability of the external network to access the internal network is limited. In addition, you should write an ACL on the vro of the internal network, only a specific and trusted snmp management system is allowed to operate snmp? For example, the following ACL only allows snmp communications from (or to) the snmp Management System and limits all other snmp communications on the network:
1. access-list 100 permit ip host w. x. y any
2. access-list 100 deny udp any eq snmp
3. access-list 100 deny udp any eq snmptrap
4. access-list 100 permit ip any
The first line of this ACL defines the trusted Management System (w. x. y )? Use the following command to apply the preceding ACL to all network interfaces:
1. interface serial 0
2. The ip access-group 100 in
In short, the invention of snmp represents a major improvement in network management. Is it still a powerful tool for efficient management of large networks? However, earlier versions of snmp are inherently insecure, and even the latest versions have problems? Like other services running on the network, the security of the snmp protocol service cannot be ignored? Do not blindly ensure that the network does not run the snmp service, maybe it will hide on a certain device? Network services that are essential already have too many security concerns, so it is best to disable services that are not necessary such as snmp-at least try to ensure their security?