SNMP is a protocol dedicated to gathering network information with as little overhead as possible; SNMP was never designed with security in mind. For example, in SNMPv1 and SNMPv2, the only true security element was the community string. In effect, if a device was enabled for SNMP write access and someone knew the community string, they could make configuration changes to the equipment. In many cases, guessing the community string wasn’t very hard, since many companies never took the time to change it from its default value – public. Obviously this presents a huge security risk, which in turn has led many companies to restrict SNMP access to read only, and in many cases, not enable it at all.
To overcome these limitations, SNMPv3 implements a true security model that provides for message integrity, authentication, and encryption. Each of these concepts is considered below:
- Message integrity. Used to ensure that an SNMP message has not been tampered with in transit by a third party.
- Authentication. Used to ensure that the source of the SNMP message is from a valid source. SNMPv3 is capable of using a common username, as well as MD5 or SHA algorithms to provide secure authentication between SNMPv3 devices.
- Encryption. Used to securely scramble the contents of SNMP messages to ensure secure transmission between an NMS and a managed device. SNMPv3 is capable of using 56-bit DES encryption for transmitted packets.
Ultimately, SNMPv3 represents a significantly improvement over previous versions from a security standpoint. However, it’s still important to remember that in order to use SNMPv3, you will require both an NMS and managed devices that support it. Depending upon the IOS version installed on your router, you may or may not be capable of supporting it at the current time. Cisco has supported SNMPv3 in their routers since IOS version 12.0.3T.