Re: Possible to see configuration with snmp ro community

ruerue · ‎05-12-2022

For a customer I have to provide unlimited snmp ro access to routers, but at least want to avoid that the customer is able to copy and see the configuration.

I read that snmw rw is needed to initiate a file transfer. So far so good. Can you confirm this? Are there MIBs I have to exclude which allow to see configuration/passwords?

Thanks in advance!

Flavio Miranda · ‎05-12-2022

Hi

As fas as I know you can not exclud MIBs. If you provide RW access to the device, you are allowing they full managibility to your device. I mean, SNMP is 'zero' or 'one'.

ruerue · ‎05-12-2022

I only grant RO access, but the customer shouldn't be able to read config/passwords. You can include and exclude snmp views, but it is hard to find if there are MIBs which allow to read the config.

Flavio Miranda · ‎05-12-2022

But then you are talking about some tools you have and you give them access? Because, if you give me access to your device with RO community and I using my own management snmp software, how do you filter what I will see on the device if I have the whole device MIB?

ruerue · ‎05-12-2022

Customer has a separate community with RO access
Access is controlled with ACLs
Attached to the community is a view
MIB exclude (blacklist) in the view should avoid that the customer can see the configuration

My question isn't how to configure this, I know this, it definitely works this way. But I don't know the critical MIBs, this is what I am asking for.

Flavio Miranda · ‎05-12-2022

Customer has a separate community with RO access

OK.

Access is controlled with ACLs

OK. Nothing change here. It prevent me to access but the client will.

Attached to the community is a view

Not sure what you mean, I can not see attach.

MIB exclude (blacklist) in the view should avoid that the customer can see the configuration

That´s the point. If you are reffering to a some tool specifically like Zabbix, PRTG, etc, etc, I got it. What I am trying to say is that. as long as I have my tool and I can access the switch in read mode, I can read everything possible.

My question isn't how to configure this, I know this, it definitely works this way. But I don't know the critical MIBs, this is what I am asking for.

Then you need to download a "MIB reader", download the Switch MIB, open up the MIB and look all the MIB tree.

And I have a quick story to tell. Far ago I recovery access to a firewall using SNMP because we were locked outside. But is was old devices. New devices improved the password mamangement. For example, we were able to decrypt cisco switch password and now we cant.

ruerue · ‎05-13-2022

Limit access to MIBs, for example:

snmp-server view customer iso included
snmp-server view customer ciscoConfig excluded
snmp-server view customer ciscoMgmt excluded

Flavio Miranda · ‎05-13-2022

Thank you very much for sharing. I´d been working in Telecom for a while now and I did not know that.

That´s really great information to share. Give yourself the right answer please!

Thank you.

ruerue · ‎05-13-2022

You are welcome

Joseph W. Doherty · ‎05-12-2022

I don't recall, for SNMP (even RO) access, that you can selectively control what part of MIBs can be accessed (although, perhaps as you note, MIB OIDs might be tied to a SNMP community?). I.e., as @Flavio Miranda mentions, it might be all or nothing access. (Of course, RO access should preclude updating/revising via SNMP.)

As to guarding passwords, I recall (?) if service password is active, displaying a config will show passwords as encrypted, not in "clear". However, for weak algorithm passwords, encrypted versions can be very easily broken.