Tony Fortunato explains how companies can safely use Telnet and SNMP v1/v2.
There's a lot of fear, uncertainty and doubt when it comes to certain protocols used for network device access such as Telnet and network management protocols like SNMP v1/v2. If you perform a search for either protocol and add the word "security" you will see plenty of articles explaining why you should NOT use these protocols. You will also find reports of how intruders exploited these protocols to cause all sorts of network headaches.
One of the main issues with these protocols is that the credentials, or data, is in clear text, which can assist someone who wants to cause your network harm. Most analysts will suggest you replace Telnet with SSH and ensure you are using SNMP v3.
I have several clients who have to use Telnet and SNMP v1/v2, yet want to be as secure as possible. They have heard about the inherent issues, but have little choice and ask me if they can do anything. In some cases, they have customized network monitoring software or scripts that only use SNMP v1/v2, Telnet or both.
You need to refer to your network equipment documentation for best practices to secure or limit access to your network devices since all products are different. Even if you have all Cisco equipment, various product lines may have different commands. When it comes to security, solutions are usually a combination of resourcefulness, tools and a plan. In other words, there is more than one way to secure your environment.
One common approach is to put all the equipment you want to monitor on the same VLAN, preferably one that users are not part of, nor have access to. Most of you will recognize this as a “management VLAN.” In those cases where you only have one VLAN and this is not possible, consider assigning a secondary or different IP subnet address to these devices and your network management host. Adding a secondary IP address to your router is optional if this equipment requires remote access.
One straightforward approach to secure most Cisco networking equipment is to set up an ACL to control who has access with Telnet or SNMP.
In this example, I block Telnet access to a Cisco router by creating an ACL that only allows one subnet and applied it to the line vty configuration.
access-list 10 permit 10.0.0.0 0.255.255.25
line vty 0 4
access-class 10 in
In this example, I limit which subnets can query the Cisco switch and only allowed Read Only access.
access-list 99 permit 10.44.10.0 0.0.0.255
snmp-server community public RO 99
Other options to consider for securing management access to network devices:
- Restricting routes to your management VLAN
- Creating support Telnet accounts that do not have full administrative access on that device
- Ensuring your network management station has a proper firewall, up-to-date antivirus, user accounts with strong passwords, and other security protocols your company might require.
- If you need to use Telnet or SNMP v1/v2 from your computer, set up a VPN to access network devices
- Only perform monitoring and troubleshooting from your network management station via remote access systems like Terminal Services, Remote Desktop, or VNC