Need help securing your MikroTik routers? A printable copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post are featured in the MikroTik Router Hardening Guide. Click here to find out more.
SNMP can provide insight about a device's performance but there are some security considerations to take into account. A secure version of the SNMP protocol should be used, authentication configured, and non-default Community strings.
- SNMP Overview
- SNMP Protocol Versions
- Community Strings
- Enable SNMP
Simple Network Management Protocol (SNMP) is an industry-standard protocol for pulling performance information from network devices. It is a pull protocol, meaning the SNMP monitor must reach out on a regular basis and poll devices for information. SNMP Collectors poll devices for information, and SNMP Agents on the devices report that data.
The frequency of performance data polling will depend on a few factors:
- Required granularity of the performance data
- Available data storage capacity
- Performance data retention requirements
With SNMP being such a ubiquitous protocol there are a number of both open source and commercial collector suites, both hardware and software-based. Routers and switches almost always feature SNMP Agents. Windows, Linux, and Mac OS also feature SNMP Agents though they have to be enabled manually.
SNMP Protocol Versions
There are three major versions of the SNMP protocol that have been accepted by the industry, though others do exist. The three main versions are outlined below, and we will use v3.
Version 1 is the original SNMP version and is still widely used almost 30 years later. There is no security built into v1 other than the SNMP Community string. If the Community string presented by the Collector matches the string configured on the Agent then it will be allowed to poll the device. This is why it's important to isolate SNMP to a dedicated management subnet and change the default Community string. It's not possible to delete the standard Community string, but the first command above renamed it and removed read access.
Version 2c brings additional capabilities to SNMP but still relies on the Community string for security. The next version is the preferred choice, though some organizations still rely on v1 and v2c.
Version 3 brings encryption and authentication, as well as the capability to push settings to remote SNMP Agents. SNMP v3 is the preferred version when both the Agent and Collector support it. While SNMP v3 does have the capability to push settings to remote devices many organizations don't opt to use it, in favor of more robust solutions like Ansible, Puppet, Chef, or proprietary management systems.
Infrastructure Router STIG Finding V-3196 requires that SNMP v3 be used:
The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device.
A Community string is like a password, allowing SNMP Agents to vet polling from SNMP Collectors in a very crude way. More modern versions of SNMP add authentication and encryption to the protocol.
The default Community string on almost all network devices is simply the word "public". This is well-known, and many port scanners like Nmap will automatically try the default "public" string. If the default Community string is left in place it can allow attackers to perform reconnaissance quickly and easily. Infrastructure Router STIG Finding V-3210 requires that the default string be changed:
The network device must not use the default or well-known SNMP Community strings public and private.
On MikroTik platforms it's not possible to delete or disable the default "public" Community string, but it can be renamed and restricted:
/snmp community set 0 name=not_public read-access=no write-access=no
Create a Community
Next create an SNMP Community with the following attributes:
- Non-default name
- Read-only access
- Secure authentication
The following is a long command but it does everything necessary:
/snmp community add name=fish_tank read-access=yes write-access=no authentication-protocol=SHA1 authentication-password=super_great_password encryption-protocol=AES encryption-password=other_super_password security=private
Only one command is necessary to enable SNMP and configure the location and contact information for the device:
/snmp set contact="Tyler @ Manito Networks" location="Internet, USA" enabled=yes
SNMP is a robust, well-supported monitoring protocol used by MikroTik and other mainstream manufacturers. Use non-default Community names, authentication, and encryption to ensure that no one else can read information from your devices. Enable SNMP and set good contact and location information to help ease distributed network monitoring.