Making Network Device Management Safe

Tony Fortunato explains how companies can safely use Telnet and SNMP v1/v2.

Tony Fortunato

December 9, 2016

3 Min Read
Network Computing logo

There's a lot of fear, uncertainty and doubt when it comes to certain protocols used for network device access such as Telnet and network management protocols like SNMP v1/v2. If you perform a search for either protocol and add the word "security" you will see plenty of articles explaining why you should NOT use these protocols. You will also find reports of how intruders exploited these protocols to cause all sorts of network headaches.

One of the main issues with these protocols is that the credentials, or data, is in clear text, which can assist someone who wants to cause your network harm. Most analysts will suggest you replace Telnet with SSH and ensure you are using SNMP v3.

I have several clients who have to use Telnet and SNMP v1/v2, yet want to be as secure as possible. They have heard about the inherent issues, but have little choice and ask me if they can do anything. In some cases, they have customized network monitoring software or scripts that only use SNMP v1/v2, Telnet or both.

You need to refer to your network equipment documentation for best practices to secure or limit access to your network devices since all products are different. Even if you have all Cisco equipment, various product lines may have different commands. When it comes to security, solutions are usually a combination of resourcefulness, tools and a plan. In other words, there is more than one way to secure your environment.



One common approach is to put all the equipment you want to monitor on the same VLAN, preferably one that users are not part of, nor have access to. Most of you will recognize this as a “management VLAN.” In those cases where you only have one VLAN and this is not possible, consider assigning a secondary or different IP subnet address to these devices and your network management host. Adding a secondary IP address to your router is optional if this equipment requires remote access.

One straightforward approach to secure most Cisco networking equipment is to set up an ACL to control who has access with Telnet or SNMP.

In this example, I block Telnet access to a Cisco router by creating an ACL that only allows one subnet and applied it to the line vty configuration.

access-list 10 permit

line vty 0 4

access-class 10 in

In this example, I limit which subnets can query the Cisco switch and only allowed Read Only access.

access-list 99 permit

snmp-server community public RO 99

Other options to consider for securing management access to network devices:

  • Restricting routes to your management VLAN

  • Creating support Telnet accounts that do not have full administrative access on that device

  • Ensuring your network management station has a proper firewall, up-to-date antivirus, user accounts with strong passwords, and other security protocols your company might require.

  • If you need to use Telnet or SNMP v1/v2 from your computer, set up a VPN to access network devices

  • Only perform monitoring and troubleshooting from your network management station via remote access systems like Terminal Services, Remote Desktop, or VNC

About the Author(s)

Tony Fortunato

Sr Network Performance Specialist

Tony Fortunato is a network performance expert who has been designing, implementing and troubleshooting networks since 1989. His company, The Technology Firm, provides clients of all sizes with services ranging from project management, network design, consulting, troubleshooting, designing custom-designed training courses, and assisting with equipment installation. Tony's experience in networking started with financial trading floor networks and ISPs, where he learned to integrate and support equipment from various vendors. Tony has taught and presented at numerous colleges and universities, public forums and private classes. He blogs frequently at NetworkDataPediaand has a popular YouTube channel.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights