That all sounds pretty standard. There are still a few risks you want to be aware of and either accept or mitigate.
SNMP v2 and previous were not encrypted, so the community "password" and data could be discovered by an attacker via sniffing. If this concerns you, you could get around this by using SNMP v3, tunneling through IPSec, SSL or SSH, etc. SNMP is largely over UDP where spoofing the source IP is trivial, so the source IP restrictions only buys you so much assurance. The encrypted tunneling methods above also give you improved ability to confirm the identity of the remote system and more assurance. With many SNMP implementations, there is often little audit logging done to detect intrusions. Host-based and/or network IDS / IPS may be one way to try to improve on the logging if desired. Software vulnerabilities are discovered in SNMP implementations from time to time, so you may also want to consider what patch management options you have or need in order to be able to rapidly push software updates for various OSes. All of this is optional, depending on your tolerance for risk. regards, karl levinson > -----Original Message----- > From: [EMAIL PROTECTED] > > We could us some guidance regarding SNMP. Below is the > requirements we were > given and our proposed approach. What if any issues do you > see with our > approach? Have you implemented something like this in your > environment, > and if so, how many devices do you have conforming to a similar > requirement? > > Requirements: Using one standard community name, enable SNMP read > capabilities on all devices supporting SNMP services > throughout the corporate network, while > mitigating risk of > any known vulnerability. > > Approach: On all supported platforms (i.e. Windows, Solaris, > Linux, AIX, > etc.) configure the SNMP Service using a unique > community name > with read only rights and configure the community > .name to accept > packets from specified trusted hosts. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
