?
Solved

Installing and cvonfiguring SNMPv3

Posted on 2013-06-12
2
Medium Priority
?
306 Views
Last Modified: 2013-06-27
After security assessment we need to disable SNMP protocol on our network, install and configure SNMPv3.
Not sure if it possible to do it. Any advise?
0
Comment
Question by:fedmilk1
2 Comments
 
LVL 81

Accepted Solution

by:
arnold earned 750 total points
ID: 39243603
Does the equipment you have have support for snmp v3?

Snmpv3 includes username/password as part of the configuration parameters.
http://docwiki.cisco.com/wiki/Snmp_v3_configurations

What runs on your network?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 750 total points
ID: 39243809
Yes, security assessments (particularly ones just doing an automated scan) often say this :)

Assuming you are on v2c then you need to perform a security review on each instance of the service detected.

1) Does this node *need* to be running snmp? are you monitoring it with snmp, and does it need to be listening (or can you rely on just traps)?

2) Does this node have anything exposed that shouldn't be (i.e. does it have RW access to snmp, when read only would do, does it expose anything sensitive)

2) Does this node have a set community string or something obvious (like "public" or the hostname)?

3) Can this node even support V3, or is it V2c or below only?

4) Does your monitoring software support V3, or would this require you to re-implement with a newer monitoring package.

5) can you restrict which IPs have access to the snmp (either via snmp settings, or a firewall setting)

once you have completed that review, then you can proceed to secure *as best suited to your environment* and can justify that in your response document to the security audit.

most sites are still on V2c. If you aren't checking anything sensitive, and have it locked down as best can be done in your environment (and particularly if you have a management-only vlan that is the access route to the control plane on applicable devices) then that is fine - you just need to acknowledge that and note it as a security decision.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question