First page Back Continue Last page Overview Graphics
SNMP: Last Of The Basics
Communities
- read-only
- read-write
- trap
Advanced Communities
- Can partition large networks.
- Can add access controls on OIDs.
Community names are the “security” in SNMP v1 & v2.
Notes:
V. SNMP: Last Of The Basics
A. Communities
i. Each SNMP command executed carries with it an identifier stating which “community” it belongs to. An agent running on a system can be a “member” of different “communities” and assign different access controls based on that “membership”.
a) read-only
b) read-write
c) trap
B. Advanced Communities
i. System administrators can use communities to partition large networks by geographical location, device type or any other criteria one might want. (Think of a large enterprise where different groups mangage the networking infrastructure [routes and switches] than servers.)
ii. Access controls can be as complex as needed – access is not an all-or-nothing setting. Communities can be assigned access based on OID level. For example,
a) The community named “watcher” could be given read-only access to everything.
b) The community group named “NetworkGroup” could be given read-write & trap access to the IF-MIB::interface and CISCO-SMI::local OIDs, but no priviledges to anything else.
c) The community group named “ServerAdmins” could be given read-write & trap access to all OIDs except CISCO-SMI::local.
C. Security aspects of communities.
i. Community names are essentially passwords.
ii. Create & treat them like passwords: do not use common words. Do not use “public” or “private”!!! Those are examples used in most SNMP instruction manuals.
iii. Unfortunately, communities names go over the network in the clear in SNMP versions 1 & 2. So, one may want different communities for each subnet, or for subnets that are more likely to be sniffed
iv. Some organizations go so far as to have a separate, “admin” network. This network connects all the hosts (or at least the important ones) that the normal network connects, but has no users on it. Admins use it for the unencrypted SNMP traffic and other admin tasks like backing machines up over the network or for getting access to a machine when the primary interface has gone down. Obviously, building this second, “admin” network and maintaining it would likely be very costly.