HPE Community
Server Management - Systems Insight Manager
1820740 Members
3265 Online
109627 Solutions
New Discussion юеВ

Re: SNMP over the Internet

 
SOLVED
Go to solution
Kevin Lancaster
Occasional Contributor

тАО10-05-2004 11:56 AM

тАО10-05-2004 11:56 AM

SNMP over the Internet

We are an IT consultancy that provides remote support and network management to our customers via the internet.

I understand from a previous post that - "HP SIM still relies on SNMP for status polling and traps. There are significant feature limitations if SNMP is not available"

As SNMP is essential, I have considered using the following SNMP configuration:-
- Set a non-default Community Name
- Set the Right to be READ_ONLY
- Only allow traffic from a single host
- Only allow SNMP communication over the internet between our head office (where the management server will be) and the customer site. So, our firewall will only allow traps from our customers IP, and our customers firewall will only allow traps from our IP.

Would this be considered adequate security?

Any help would be appreciated.

Kevin
0 Kudos
Reply
5 REPLIES 5
Rob Buxton
Honored Contributor

тАО10-05-2004 02:56 PM

тАО10-05-2004 02:56 PM

Re: SNMP over the Internet

Some claim that having SNMP open to the internet in itself poses a risk.

I think monitoring anything over an unsecured internet connection would have potential risks.

Note the SNMP traffic can be two way, SNMP is used by HPSIM to identify and gain initial access to the device.
The device can also send SNMP Traps to the remote server so communication is two way.
0 Kudos
Reply
Kevin Lancaster
Occasional Contributor

тАО10-05-2004 09:19 PM

тАО10-05-2004 09:19 PM

Re: SNMP over the Internet

Rob,

Thanks for your reply.

My scenario above does mean that two-way communication can take place by using firewall rules to forward the SNMP requests.

Also, SNMP would not be 'open' to the internet because the firewalls would only allow communication between our office IP Address and the customers IP Address, thus leaving SNMP 'closed' to the internet as a whole.

I hope my explanation is clear. Any further help would be appreciated.

Kevin
0 Kudos
Reply
Matthew Finnigan
Advisor

тАО10-07-2004 01:08 AM

тАО10-07-2004 01:08 AM

Re: SNMP over the Internet

Well, it's still sniffable, and spoofable. That's the meaning of "open to the internet." You've made a good start, it would be better if you could run it over IPSec or something though.
0 Kudos
Reply
Terry Auspitz
Frequent Advisor

тАО10-07-2004 06:29 AM

тАО10-07-2004 06:29 AM

Solution

Re: SNMP over the Internet

Hi Kevin,

I would not consider this solution to be adequate security, as it ultimately involves sending sensitive information about your client's infrastructure unencrypted over an untrusted network. Most significantly, SNMP packets contain the community string as cleartext within the packet, but such packets would also include information about your client's network configuration, information your client most likely wants (or should want) to keep out of unknown hands. This configuraton could allow (as Matthew noted) sniffing and spoofing of packets, inclding the introduction of packets that could allow an attacker to manipulate or crash a server on your client's network, or to introduce false or misleading information, or block information from reaching, your monitoring station.

One option you might consider would be establishing a private connection to your client's network. Depending on where you are and your proximity to your client, you may be able to get an unlimited-use ISDN circuit for a reasonable cost (not much more than a POTS line for each circuit). Depending on the size of your client's network (I'm assuming it's rather small since they don't have an in-house IT staff to monitor Insight Manager), this should be adequate for you to service their needs. This involves a small up-front investment by your client, and a recurring monthly cost.

If the private ISDN is not an option, you could also consider placing the monitoring server at your client's site and gaining access through it's web-based interface. This way the information being received from your client's site is being received through an SSL connection. It is important to note that the monitoring "server" need not be true a true server-grade hardware or OS if implementation cost is an issue, though you will probably want the capacity to store and back up alert history.

-Terry
Reply
Paul Kratz
Frequent Advisor

тАО10-12-2004 12:39 AM

тАО10-12-2004 12:39 AM

Re: SNMP over the Internet

I fully agree that SNMP over a unsecure Network is not a good Idee when not encrypting your connection.

Another option is to buid a secure VPN Connection with IPsec using your existing Internetconnection and tunnel all your SNMP over this VPN.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.