SNMP, how secure?

[jlazzaro]

How safe are RW SNMP community strings? Are they easily suseptiable to brute-force attacks? Sure a longer string would delay an attacker, but would it just be a matter of time?

CiscoWorks requires a RW string to pull/push IOS images, as well as another SNMP command enabling remote reloads. While it would make my life easier, just the thought of it scares me ;x

Maybe an ACL to limit SNMP traffic from just the CW server would negate the risk...

 

[spidey07]

Use SNMP version 3 and put ACLs on the device. You can tell the device to only accept SNMP from trusted management stations.

 

[nweaver]

yeah, SNMP v3 and an ACL to limit who can send the packets is ok.

I really wish we could replace some older gear with crypto images (with SSH support)

 

[cmetz]

jlazzaro, SNMPv1 and v2 send community strings over the network in cleartext, so anyone who can sniff can get it. That's not very good security. v3 uses cryptographic means to protect that information (I believe it's encrypted, but would need to check - just in case it's actually a hash protocol or something).