05-12-2022 06:26 AM
For a customer I have to provide unlimited snmp ro access to routers, but at least want to avoid that the customer is able to copy and see the configuration.
I read that snmw rw is needed to initiate a file transfer. So far so good. Can you confirm this? Are there MIBs I have to exclude which allow to see configuration/passwords?
Thanks in advance!
05-12-2022 06:36 AM
Hi
As fas as I know you can not exclud MIBs. If you provide RW access to the device, you are allowing they full managibility to your device. I mean, SNMP is 'zero' or 'one'.
05-12-2022 07:09 AM
I only grant RO access, but the customer shouldn't be able to read config/passwords. You can include and exclude snmp views, but it is hard to find if there are MIBs which allow to read the config.
05-12-2022 07:15 AM - edited 05-12-2022 07:16 AM
But then you are talking about some tools you have and you give them access? Because, if you give me access to your device with RO community and I using my own management snmp software, how do you filter what I will see on the device if I have the whole device MIB?
05-12-2022 07:30 AM
My question isn't how to configure this, I know this, it definitely works this way. But I don't know the critical MIBs, this is what I am asking for.
05-12-2022 08:35 AM - edited 05-12-2022 08:37 AM
Customer has a separate community with RO access
OK.
Access is controlled with ACLs
OK. Nothing change here. It prevent me to access but the client will.
Attached to the community is a view
Not sure what you mean, I can not see attach.
MIB exclude (blacklist) in the view should avoid that the customer can see the configuration
That´s the point. If you are reffering to a some tool specifically like Zabbix, PRTG, etc, etc, I got it. What I am trying to say is that. as long as I have my tool and I can access the switch in read mode, I can read everything possible.
My question isn't how to configure this, I know this, it definitely works this way. But I don't know the critical MIBs, this is what I am asking for.
Then you need to download a "MIB reader", download the Switch MIB, open up the MIB and look all the MIB tree.
And I have a quick story to tell. Far ago I recovery access to a firewall using SNMP because we were locked outside. But is was old devices. New devices improved the password mamangement. For example, we were able to decrypt cisco switch password and now we cant.
05-13-2022 02:30 AM
Limit access to MIBs, for example:
snmp-server view customer iso included
snmp-server view customer ciscoConfig excluded
snmp-server view customer ciscoMgmt excluded
05-13-2022 03:18 AM - edited 05-13-2022 03:18 AM
Thank you very much for sharing. I´d been working in Telecom for a while now and I did not know that.
That´s really great information to share. Give yourself the right answer please!
Thank you.
05-13-2022 03:57 AM
You are welcome
05-12-2022 08:19 AM
I don't recall, for SNMP (even RO) access, that you can selectively control what part of MIBs can be accessed (although, perhaps as you note, MIB OIDs might be tied to a SNMP community?). I.e., as @Flavio Miranda mentions, it might be all or nothing access. (Of course, RO access should preclude updating/revising via SNMP.)
As to guarding passwords, I recall (?) if service password is active, displaying a config will show passwords as encrypted, not in "clear". However, for weak algorithm passwords, encrypted versions can be very easily broken.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: