30 March 2010

HowTo Disable SNMP with Security

The Simple Network Management Protocol (SNMP) is
the standard Internet protocol for automated remote
monitoring and administration. There are several different
versions of SNMP, with different security properties. If a
network has a deployed SNMP infrastructure in place for
administration, then all routers on that network should be
configured to securely participate in it. In the absence of a
deployed SNMP scheme, all SNMP facilities on all routers
should be disabled using these steps:

• Explicitly unset (erase) all existing community strings.
• Disable SNMP system shutdown and trap features.
• Disable SNMP system processing.

The example below shows how to disable SNMP by implementing
these recommendations. It starts with listing the current configuration
to find the SNMP community strings; note that SNMP must be enabled
in order for the SNMP community strings to appear in the configuration
listing. The configuration listing is often quite long, so you may want
to use IOS output filtering to display only the lines related to SNMP
(under IOS 12.0 and earlier, you must simply list the entire config-
uration and inspect it visually).

ro-sec# show running-config | include snmp
Building configuration...
snmp-server community public RO
snmp-server community admin RW

ro-sec#
ro-sec# config t
Enter configuration commands, one per line. End with CNTL/Z.
ro-sec(config)# ! erase old community strings
ro-sec(config)# no snmp-server community public RO
ro-sec(config)# no snmp-server community admin RW
ro-sec(config)#
ro-sec(config)# ! disable SNMP trap and system-shutdown features
ro-sec(config)# no snmp-server enable traps
ro-sec(config)# no snmp-server system-shutdown
ro-sec(config)# no snmp-server trap-auth
ro-sec(config)#
ro-sec(config)# ! disable the SNMP service
ro-sec(config)# no snmp-server
ro-sec(config)# end

The last command in the example, no snmp-server, shuts down
all SNMP processing on the router. When SNMP processing is
shutdown, some SNMP configuration statements will not appear
in any listing of the running configuration, but they can still be there!
The safest way to ensure that SNMP is really unavailable to an
attacker, and will remain so, is to list the established SNMP
community strings and explictly unset them as shown above.


[SRC] NSA
 
biOos
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)