RE: Securing SNMP [7:44605]
Check out the SNMP section in this doc: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm Additionally to the above suggestions, I would add: -Do not allow SNMP write capability, you almost never need it -Choose a _strong_ SNMP RO community. It should contain special characters such as #,$,@,&,^, etc. It's usually useful to pick a phrase that you can remember, such as "all engineers choose good passwords", pick the first letter or letters from each word: "all e c g p" and then selectively substitute special chars for certain alpha chars: "@ll $ c g )" for example. DO NOT pick things like company name, organization name, sports team mascots, pets names, etc. In general, treat the SNMP community string with the same care you would want the administrator of your payroll server to use for their password. (and assume if the payroll gets compromised, you don't get paid) -Consider using SNMPv3 so that you can use encryption. Alternatively, setup an IPSec tunnel between the monitoring stations and the routers for securing SNMP based communications. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Postman Pat Sent: Tuesday, May 21, 2002 4:49 AM To: [EMAIL PROTECTED] Subject: Securing SNMP [7:44605] Greetings, I would like to run SNMP on my router and would like some advice on how I could secure it. I would also like some input from you guys on whether you recommend SNMP at all as it seems like the only route that I can take in monitoring traffic on our internet access link. Regards LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44622&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Securing SNMP [7:44605]
hi, you may - define an access-list let only the host you want to to snmp access the kit - enable ip verify unicast reverse path checking on all interfaces. cheers! sen Quoting Langa Kentane : > Any way to configure anti-spoofing on the router, since it's trivial to > spoof UDP packets? > > --- > Pat- > > I create an access list that allows one ip address (my NMS) and denies all > others. > > Collin > > > ""Postman Pat"" wrote in message > news:... > > Greetings, > > I would like to run SNMP on my router and would like some advice on > > how I > > could secure it. I would also like some input from you guys on whether > you > > > recommend SNMP at all as it seems like the only route that I can take > > in > > monitoring traffic on our internet access link. > > > > Regards > > > > LK cheers - sen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44621&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Securing SNMP [7:44605]
Yes. If your network is 192.168.1.0/24 deny all packets trying to enter your network with a source of 192.168.1.x. Dave Langa Kentane wrote: > > Any way to configure anti-spoofing on the router, since it's trivial to > spoof UDP packets? > > --- > Pat- > > I create an access list that allows one ip address (my NMS) and denies all > others. > > Collin > > ""Postman Pat"" wrote in message > news:... > > Greetings, > > I would like to run SNMP on my router and would like some advice on > > how I > > could secure it. I would also like some input from you guys on whether > you > > > recommend SNMP at all as it seems like the only route that I can take > > in > > monitoring traffic on our internet access link. > > > > Regards > > > > LK -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44618&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Securing SNMP [7:44605]
Any way to configure anti-spoofing on the router, since it's trivial to spoof UDP packets? --- Pat- I create an access list that allows one ip address (my NMS) and denies all others. Collin ""Postman Pat"" wrote in message news:... > Greetings, > I would like to run SNMP on my router and would like some advice on > how I > could secure it. I would also like some input from you guys on whether you > recommend SNMP at all as it seems like the only route that I can take > in > monitoring traffic on our internet access link. > > Regards > > LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44610&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]