Configuring Secure Community Names provides an example of a recommended configuration that will prevent unsecured SNMPv1/v2c access of potentially security compromising information.
As discussed previously in this document, SNMP v1 and v2c are inherently insecure device management protocols. Community names used to define access levels are passed in clear text in all protocol frames sent to the managed entity and may be visible by read-only SNMP users when querying certain SNMP configuration-related objects. In addition, you may be further exposing your network due to configuration conventions which reuse the community names in other aspects of entity management, such as CLI login passwords, and SNMP security names.
Extreme Networks recommends that you “secure” all SNMP community names. You do this by creating a configuration that hides, through the use of “views” sensitive information from SNMP v1/v2c users as follows:
Step | Task | Command(s) |
---|---|---|
1 | Create the following SNMP view group configurations.
|
set snmp access admin-groupname security-model usm privacy exact read secured-viewname write secure-viewname notify secured-viewname set snmp access read-only-groupname security-model v1 exact read unsecured-viewname set snmp access read-only-groupname security-model v2c exact read unsecured-viewname set snmp access read-write-groupname security-model v1 exact read unsecure-viewname write unsecured-viewname set snmp access read-write-groupname security-model v2c exact read unsecured-viewname write unsecured-viewname |
2 | Create v1/v2c “public” and “private” community names and security names. | set snmp community private-communityname securityname read-write-securityname set snmp community public-communityname securityname read-only-securityname |
3 | Create user groups and bind them to the security names created in Step 2. | set snmp group admin-groupname user admin-username set snmp group read-only-groupname user read-only-securityname security-model v1 set snmp group read-write-groupname user read-write-securityname security-model v1 set snmp group read-only-groupname user read-only-securityname security-model v2c set snmp group read-write-groupname user read-write-securityname security-model v2c |
4 | Using the admin-username assigned in Step 3, create the v3 user and define authentication keys. | set snmp user admin-username authentication sha auth-key privacy priv-key |
5 | Using the viewnames assigned in Step 1, create restricted views for v1/v2c users, and unrestricted views for v3 users. | set snmp view viewname secured-viewname subtree 1 set snmp view viewname secured-viewname subtree 0.0 set snmp view viewname unsecured-viewname subtree 1 set snmp view viewname unsecured-viewname subtree 0.0 |
6 | Exclude the following from the restricted view
|
set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.15 excluded set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.16 excluded set snmp view viewname unsecured-viewname subtree 1.3.6.1.6.3.18.1.1 excluded |