05-16-2006 09:23 PM - edited 03-09-2019 02:56 PM
In a router if the configuration is as below is it using SNMPv3 security features.
snmp-server engineID local xxxx
snmp-server community xxxx RO
snmp-server community xxxx RW
snmp-server enable traps tty
05-16-2006 11:53 PM
Hi,
SNMP configuration (except for snmpv1) normally has the keyword 'v', e.g. v3 to indicate the snmp version.
Refer to the following example on how snmpv3 is configured in router:
Other resources to refer:
->SNMPv3:
->Cisco IOS Network Management Command Reference, Release 12.4T
->Improving Security on Cisco Routers:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#snmp
->Understanding System Management Configuration Management
Rgds,
AK
05-16-2006 11:57 PM
SNMPv1 does not require the 'v1' keyword (default), and this is matched with your config - running snmpv1.
Rgds,
AK
05-17-2006 03:03 AM
What is exactly the risk in having snmpv1 ... what is the worse that can happen if the configuration is on an internal segment.
Rgds,
Ranjit
05-17-2006 12:45 PM
Hi,
In SNMPv1, the transferred/exchanged snmp data is not encrypted. It's in clear text format. Somebody with sniffing tool can pick-up this traffic and view the device config/status. It could get worst if the intercepted info between managed network devices and management machine is running in read-write (RW) mode. In SNMPv3, everything is fully encrypted.
How safe using SNMPv1 vs SNMPv3 is depending on your business requirements, how critical managed network infra devices and how critical/sensitive those snmp/management data to your organization.
But I believed, banking sector normally has a strict security policy, including on network infra.
Hope this helps.
Rgds,
AK
05-18-2006 12:26 AM
yes, they do have a strict security policy and thats why you have IT Auditors who check agnst the policies.
In essence at max someone can view the config and if it RW mode then change the config.
Thanks for you help.
05-20-2006 11:40 PM
Their security policy can't be very strict if it allows something like
snmp-server community xxxx RW
with no access list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide