?
Solved

Installing and cvonfiguring SNMPv3

Posted on 2013-06-12
2
Medium Priority
?
302 Views
Last Modified: 2013-06-27
After security assessment we need to disable SNMP protocol on our network, install and configure SNMPv3.
Not sure if it possible to do it. Any advise?
0
Comment
Question by:fedmilk1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 750 total points
ID: 39243603
Does the equipment you have have support for snmp v3?

Snmpv3 includes username/password as part of the configuration parameters.
http://docwiki.cisco.com/wiki/Snmp_v3_configurations

What runs on your network?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 750 total points
ID: 39243809
Yes, security assessments (particularly ones just doing an automated scan) often say this :)

Assuming you are on v2c then you need to perform a security review on each instance of the service detected.

1) Does this node *need* to be running snmp? are you monitoring it with snmp, and does it need to be listening (or can you rely on just traps)?

2) Does this node have anything exposed that shouldn't be (i.e. does it have RW access to snmp, when read only would do, does it expose anything sensitive)

2) Does this node have a set community string or something obvious (like "public" or the hostname)?

3) Can this node even support V3, or is it V2c or below only?

4) Does your monitoring software support V3, or would this require you to re-implement with a newer monitoring package.

5) can you restrict which IPs have access to the snmp (either via snmp settings, or a firewall setting)

once you have completed that review, then you can proceed to secure *as best suited to your environment* and can justify that in your response document to the security audit.

most sites are still on V2c. If you aren't checking anything sensitive, and have it locked down as best can be done in your environment (and particularly if you have a management-only vlan that is the access route to the control plane on applicable devices) then that is fine - you just need to acknowledge that and note it as a security decision.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question