security over snmp monitoring

Q: I don't feel comfortable to allow my ISP to monitoring my Internet router. How to address such concerns?

A: Simple Network Management Protocol (SNMP) is a standard protocol defined by IEFT (RFC1157) for monitoring and configuration management of IP devices. 

SNMP operates in a client-server architecture. SNMP agent (snmp client) exists in most enterprise grade routers, switches, servers, workstations, printers, etc. Using on a set of MIB (defined by vendor, on what information to be captured or controlled by the agent), the agent communicates with a typical remote Network Management Server (snmp server), such as mfusion and some other commercial NMS software, for reporting, data presentation/monitoring and configuration policy push.

The common operating modes are (configurable by administrator), snmp GET, TRAP/INFORM, and SET. And we can configure the agent with read-only or read-write rights.

In a GET mode, the NMS pulls/asks data from agent, referencing to sets of OID (which must exist on the agent device). This is a common operating mode for most device status/performance monitoring and only requires read-only rights (can't change device configuration); in a TRAP mode, the agent pushes trap message to the NMS on device status changes; SET is usually for NMS to push policy changes to the device and would require read-write rights.

SNMP protocols also have multiple versions, eg. v1, v2c, v3, etc, which comes with different level of security. the commonly used version is 2c, and more secure on is v3.

So why is it safe for an ISP mfusion/NMS to monitor customer devices? Because the devices can be secured to permit such operational needs.

1. mfusion only GET device operating status using some specific OIDs allowable by the device, eg. CPU/Memory utilization, interface/link utilization etc. It can not collect user traffic or alter device configurations. There's no infringement of personal privacy or danger of screwing up customer network.

2. the device can be configured to only allow specific mfusion/NMS IP to GET/read such information, with a secure/defined community string (if using v2c) or username & password (if using v3), without leaking info to unauthorized malicious NMS probe.

3. Some vendors (eg. Cisco) can block NMS with only access to limited MIBs, intended for the permissible info only.

Below is an example of Cisco router configuration. It permits mfusion/NMS with IP of 1.1.1.1 only, and must be authenticated with community string securepass to remotely "read" interface/link utilization only (ifInOctets, ifoutOctets)

!

snmp-server view securesnmp ifInOctets.*.* included

snmp-server view securesnmp ifoutOctets.*.* included

!

access-list 11 permit 1.1.1.1

!

snmp-server community securepass view securesnmp RO 11

!