2 improving snmp security, Improving snmp security -16 – Riverstone Networks RS 2100 User Manual

Page 56

Advertising
background image

4-16 Riverstone Networks RS 2100 Switch Router Getting Started Guide

Setting Up SNMP

RS 2100 Initial Configuration

By default, SNMP information is sent and received on the RS 2100’s en0 Ethernet port. If you want SNMP to use a
different port on the RS 2100, use the following command

Here is an example:

SNMP will now use the port with IP address 134.152.78.192. Remember, to make this change permanent, enter the

save startup

command

4.6.2

Improving SNMP Security

SNMPv1 is not a secure protocol. Messages containing community strings are sent in plain text from manager
application to agent. Anyone with a protocol decoder and access to the wire can capture, modify, and replay messages.

Applying ACLs to SNMP

When using SNMP v1 or v2, it is important to protect your RS 2100 by applying an Access Control List (ACL) to the
SNMP agent to prevent unauthorized access and route your SNMP traffic through trusted networks only.

Here are the basic configuration commands to apply an ACL to the RS 2100’s SNMP agent, allowing access to the
RS 2100 by only one management station.

The above ACL applied to the SNMP service allows messages from source IP address <IPaddr> to be processed by
the SNMP agent, packets form any other source IP address are dropped.

Disabling Authentication Traps

To provide additional security to the RS 2100, disable the sending of authentication traps. Authentication traps are sent
when SNMP v1 packets are received with invalid community strings. A common security attack on an SNMP v1 agent
is to send a message containing an invalid message, and then capture the authentication trap to learn the community
string.

Here is an example of how to turn off the sending of authentication traps:

snmp set trap-source <interface>|<IPaddr>

rs(config)# snmp set trap-source 134.152.78.192

rs(config)# acl mgmt_only permit udp <IPaddr> any any any

rs(config)# acl mgmt_only apply service snmp

rs(config)#snmp disable trap authentication

Advertising
Popular Brands
Popular manuals