jro-grafik - Fotolia

Is upgrading to SNMP v3 enough to secure network devices?

Using SNMP v3 is a good first step, but it's not enough to prevent attackers from accessing a network through an SNMP-enabled device. Expert Judith Myerson explains what else to do.

I read that a remote attacker could get into an organization's network infrastructure by abusing Simple Network...

Management Protocol-enabled, or SNMP-enabled, network devices. How can we stop this attack?

Upgrading to SNMP v3 for the highest level of security is not enough to prevent an attacker from abusing SNMP-enabled network devices to get into the organization's network infrastructure from any computer. The attacker could exploit improper role separation, for example.

If a legitimate administrator hasn't separated the roles of users and groups, then all the roles have the same password and the same read and write SNMP permissions. All the users have the same SNMP views of a database called the Management Information Base (MIB).

This flaw would give the attacker unrestricted SNMP views of the entire database. The SNMP view command excludes a list of what MIB objects in the database should be viewed. When SNMP v3 traffic is attacked, the entire network may be impacted.

To stop the attack, US-CERT recommends administrators:

  • Configure SNMP v3 to use authpriv, the highest level of security for authentication and privacy on most devices.
  • Separate the roles and assign proper credentials for each. SNMP managers are allowed to read traps or alerts that something is wrong in the network from a remote-enabled device. They are denied write permissions.
  • Apply access control lists to block unauthorized computers from accessing the device.
  • Limit the users' SNMP views of the MIB database according to the roles assigned to the users. The SNMP v3 view command is restricted to the SNMP Object Identifiers that point to MIB objects in the database. All other MIB objects not assigned to a role are shut out.
  • Segregate SNMP traffic into a separate network management network, such as out of band. A dedicated network port should be the sole link for SNMP v3.
  • Update system images and software as they became available.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to monitor an environment with the Simple Network Management Protocol

Discover how to use the Net-SNMP agent for systems management

Find out what advantages SNMP monitoring tools offer enterprises

This was last published in August 2017

Dig Deeper on Network security