Simple Network Management Protocol (SNMP) is an industry-standard protocol used for remote monitoring and management of network devices over UDP port 161.
SNMP is not secure because of the following reasons:
- Instead of using encryption keys or a user name and password
pair, SNMP uses a community string for authentication. The
community string is transmitted in clear text format over the
network, making it easy to capture with a packet sniffer.
Within the industry, devices are typically configured at the
factory to use public as the default community string. The
public password allows users to make queries and read values but
does not allow users to invoke commands or change values. Some
devices are configured at the factory to use private as
the default community string, allowing users full read-write
access.
- Even if you change the read and write community string on a
device to something other than private, an attacker can
easily learn the new string by using the read-only public
community string and asking the router for the read-write
string.
There are three versions of SNMP:
- SNMPv1 is the original protocol and is not commonly used.
- SNMPv2 is identical to SNMPv1 from a network protocol
standpoint and is vulnerable to the same security problems. The
only differences between the two versions are in the messages sent,
messages received, and the type of information that is available.
These differences are not important from a security point of view.
This version of SNMP is currently used on your storage systems.
- SNMPv3 is the latest protocol version and includes security
improvements but is difficult to implement and many vendors do not
yet support it. SNMPv3 supports several different types of network
encryption and authentication schemes. It allows for multiple
users, each with different permissions, and solves SNMPv1 security
problems while maintaining an important level of compatibility with
SNMPv2.
SNMP is required if you want to monitor a storage system through
an SNMP monitoring tool, such as DataFabric Manager. Your storage
system's SNMP implementation allows read-only access. Regardless of
the community string used, the user cannot issue commands or change
variables using SNMP on your storage system.
You should use the snmp.access option to restrict
SNMP access to a named set of trusted hosts.
Set the snmp.enable option to off to disable SNMP
entirely.
The snmp community delete and snmp community
add commands are used to change the community string to
something other than the default value.
