While SNMP is very useful for monitoring and troubleshooting, like the one shown in the figure, it can also create security vulnerabilities. For this reason, prior to implementing SNMP, be mindful of security best practices.
Both SNMPv1 and SNMPv2c rely on SNMP community strings in plaintext to authenticate access to MIB objects. These community strings, as with all passwords, should be carefully chosen to ensure that they are not too easy to crack. Additionally, community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company. If SNMP is used only to monitor devices, use read-only communities.
Ensure that SNMP messages do not spread beyond the management consoles. ACLs should be used to prevent SNMP messages from going beyond the required devices. ACL should also be used on the monitored devices to limit access for management systems only.
SNMPv3 is recommended because it provides security authentication and encryption. There are a number of other global configuration mode commands that a network administrator can implement to take advantage of the authentication and encryption support in SNMPv3:
- The snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} command creates a new SNMP group on the device.
- The snmp-server user username groupname v3 [encrypted] [auth {md5 | sha} auth-password] [priv {des | 3des | aes {128 | 192 | 256}} priv-password] command is used to add a new user to the SNMP group specified in the snmp-server group groupname command.
Note: SNMPv3 configuration is beyond the scope of the CCNA curricula.