01-12-2007 04:15 AM
Hi All
Pls how can I seriously tighten down SNMP access to the switches? IOS and CatOS.
This is to include password so that only my PC can access them.
I have chnaged the following
snmp-server community secret RW 10
snmp-server community aaaaa RO 10
snmp-server community bbbbb RW 10
snmp-server host 2.2.2.2 aaaaa ( Ciscoworks server)
Did an access-list
access-list 10 permit 1.1.1.1 - my PC
access-list 10 permit 2.2.2.2 - CiscoWorks.
But someone ran a SNMP analyzer and was still able to gain access to the Switch. How? What else do I still need to do to further enhance this?
Thanks
01-12-2007 09:19 AM
Was the person running the snmp analyzer from IP address 1.1.1.1 or 2.2.2.2? Other than this the access-list should prevent them from polling via RO or RW.
What kind of access did they gain?
You could try snmp v3 which adds more security than v2c including encryption.
01-15-2007 03:35 AM
Thanks.
They were actually trying it from a PC that was included in the access list.
Thanks for your help.
01-12-2007 09:20 AM
What kind of access did they gain? What community string did they end up using? You have done a good job securing SNMP here. My only comment would be why have two RW community strings? They are both granted the same access level to the same hosts.
If someone from a host other than 1.1.1.1 or 2.2.2.2 was able to poll this device using one of those three community strings, then there is a problem. We have seen bugs in the past, but they should all be fixed on newer versions of IOS. What version are you running?
Of course, if they were running the analyzer from either 1.1.1.1 or 2.2.2.2, then obtaining the SNMP community strings is a trivial task. The only step up from what you have now would be to convert to SNMPv3 authNoPriv. SNMPv3 authNoPriv will give you the added security of encrypted passwords while still allowing CiscoWorks to function.
More on securing SNMP, including configuring SNMPv3, can be found at http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide