SNMP
The Simple Network Management Protocol, or SNMP, is a common language used to communicate with devices on a network. SNMP operates using an SNMP manager, which is software that serves as the control center, collecting information from various devices and presenting it in a user-friendly format.
For example, if there is a network device that supports SNMP, the SNMP manager can retrieve statistical information from the device. Monitoring is the primary use of SNMP. It can also be used to configure a network device. However, compared to other methods, SNMP has potential security risks, making it unsuitable for complex configurations, which are better handled through device-specific management interfaces.
Although SNMP was originally designed primarily for network devices, it can be used on any device that supports it. For example, SNMP functionality can be added to operating systems like Windows.
A network management system will poll each device at regular intervals; however, an SNMP device can also be configured to send notifications when certain events occur. This means it can alert the SNMP manager when a specific event happens. For example, you may want to configure a network device to notify the SNMP manager when network traffic exceeds a certain threshold.
In The Real World
Although this video is about SNMP, real-world network monitoring software uses more than just SNMP. Effective network monitoring software also uses protocols like ICMP (used by ping), web protocols, and Windows Management Instrumentation (WMI) to monitor devices on the network. Think of network monitoring as a combination of protocols and techniques to effectively gather and analyze network data, with SNMP being just one of those protocols.
Let’s now look at the basics of how SNMP works.
SNMP Versions
SNMP is available in three different versions. The first version was released in the 1980s and has significant security vulnerabilities. A shared secret between the device and the SNMP manager is used for authentication. However, the shared secret is transmitted in clear text across the network, making it insecure.
SNMP is typically used on internal networks, making its security dependent on the network’s overall security. If an attacker gains access to the internal network, they can easily sniff packets and capture any SNMP traffic, including the shared secret. For these reasons, using SNMP version 1 is strongly discouraged.
In the early 1990s, SNMP version 2c was released. This version offers some improvements but still transmits traffic, including the shared secret, in clear text. For this reason, using this version is also strongly discouraged.
SNMP version 3 was released in the late 1990s and includes authentication and encryption. For this reason, it is the recommended version to use. Initially, version 3 adoption was slow because the added authentication and encryption required additional resources on network devices. However, with modern devices having more processing power, this is no longer a significant concern. Therefore, all modern devices should support SNMP version 3.
I have avoided using some specific technical terms related to SNMP, as they can make learning SNMP for the first time more challenging. However, now that we have covered the basics, it is time to start exploring these technical terms.
Community String
In SNMP versions 1 and 2, a shared secret called a community string is used for authentication. In this example, the network switch on my left is configured with a community name. You will also notice that I can limit which IP addresses can access SNMP. In large corporate networks, the management of network equipment may be separated from the rest of the network. Restricting the IP addresses that can access SNMP provides additional security.
On the right-hand side, I have network management software. You will notice that the community name has been used to register the network device in the management software.
It is possible to name a group of network devices with the same community string, meaning they all share the same common secret. This is likely where the term “community string” originates, as it implies a shared understanding or agreement among these devices. Using modern network terminology, it would be easier to call it a shared secret, but when SNMP was developed, standard terminology had not yet been established.
Don’t overcomplicate this. “Community name” is simply the SNMP technical term for a shared secret. For the SNMP manager to communicate with the SNMP agent running on the device, the shared secret must be the same on both ends.
I will now select SNMP version 3. You will notice that the community string is replaced by a more robust security model. This model uses a username and password combination instead of a shared secret, and both the password and traffic are encrypted. The additional options correspond to different methods that can be used to achieve this.
Now that we understand how an SNMP connection is made, I will next explore the types of information that can be retrieved using SNMP.
Object Identifier (OID)
Each object in an SNMP device is assigned a number by the manufacturer. This is called an object identifier, or OID. I will use a tool called SNMPWalk to view the OIDs on my network device.
You can see that there are quite a lot of them, even though this is just an eight-port switch. Each port has its own characteristics, statistics, and configuration, so the number of OIDs can increase rapidly.
With different network devices from various manufacturers, you need a structured way to access similar devices while also being able to add additional options as needed.
Management Information Base (MIB)
The Management Information Base or MIB provides this interface. It is essentially a catalog of OIDs grouped together for management purposes. In my example network switch, you can see that it supports several different MIBs.
The MIB is essentially a database holding configuration and other information. This data provides statistical information for the activity of the device. The MIB essentially holds a list of OIDs that the device supports. Let’s have a closer look at one.
MIB Example
This software allows various SNMP functions to be performed. In this case, I will use it to load a MIB file. Generally, the manufacturer of the device will provide MIB files. I have already downloaded the MIB files from the manufacturer’s website.
To load them, I will select the option “Load MIBs” under the File menu. I will choose one of the available MIBs and load it. The MIB will appear on the left-hand side as a tree structure. I will expand through the tree until I reach a value. When I reach a value, this represents the OID.
At the top, notice that the OID is expressed in numerical format. This format defines the location of the value in the tree. In this case, I have selected the speed value for the first network port on the switch. You can see that the value is in bytes, which translates to 1 Gigabit per second.
OIDs tend to represent something unique. Manufacturers can include vendor-specific extensions and features, allowing for customization. As a result, it is possible for the same value to appear in two different MIBs.
Your network management software will support common MIBs and OIDs. If you are satisfied with what is available, you won’t need to add the manufacturer’s MIB to your software. However, if you want to ensure access to all available features, you should check if you can obtain the manufacturer’s MIBs.
So far, I have focused on retrieving data from the device as needed, but in some cases, we may want the device to notify us when something happens.
Traps
In SNMP, a device can send a notification when a specific condition occurs. These notifications are called Traps. The concept behind this term is that an event has occurred, and you are attempting to “trap” or capture it. Essentially, a Trap is a push notification sent from the device to the network management system.
SNMP was originally designed in the early days of computing, before standard terminology was established. Therefore, modern devices might not refer to it as a Trap but would use terms like event or push notification.
To demonstrate this concept, I have a network switch that I will configure for SNMP. To do this, I need to enter the IP address of my network management software. Next, I will select SNMP version 2. Keep in mind that SNMP version 2 is not encrypted, so anyone connected to the network can potentially intercept the Trap messages as they are transmitted.
Traps are often used to proactively signal issues such as network interface failures or system errors. They enable timely intervention and potential mitigation of service disruptions. While the value of rapid notification is clear, organizations must also consider the security implications of exposing sensitive event data. In my opinion, it is more important to know when an interface is down, even if it means the risk of an attacker intercepting this information; however, your company may have a different perspective.
Next, I will enter the community string. This is essentially the passcode to access the data. Your network monitoring software must be configured with the same community string. While it functions like a passcode, the community string is transmitted in clear text over the network, so it does not provide real security, as anyone listening on the network can read it.
Finally, I will add the trap configuration to the list. Once it is added I will press apply to save the changes. I will now select the “Trap Flags” option on the left-hand side. This shows which events on the switch will trigger a Trap to be sent to the network management software.
The settings that can be configured depend on the network device. Some network devices offer more options than others, including the ability to create custom Traps.
Summary
I will now provide a quick summary of the key points covered in this video. In SNMP versions 1 and 2c, a community string is used as a shared secret for authentication. You simply need to configure your device and network management system to use the same community string. However, since the community string is transmitted in clear text, it is considered insecure. Therefore, it is recommended to use SNMP version 3 whenever possible.
SNMP uses an object identifier, or OID, which is a unique number assigned to each object. Shown here is the unique number for system uptime.
The OIDs can vary between devices based on what is available, and manufacturers can add their own if they wish. To ensure that your network management system understands which OIDs are available and how they are implemented, a Management Information Base or MIB is generally provided by the device manufacturer.
The database identifies the OIDs that are available and their specific meanings on those devices. For instance, devices may implement uptime in different ways. Some devices may measure uptime in hundreds of seconds, while others may use thousandths of a second.
While most network management systems include a comprehensive library of generic MIBs, accurate and complete device monitoring often requires the inclusion of vendor-specific MIBs. These detailed descriptions of device attributes ensure precise data interpretation and enable comprehensive management capabilities.
If you find that the report is incomplete or information is missing, check if there is a MIB available for that device and add it to your network management system.
End Screen
Best of luck if you decide to use SNMP on your network. Keep in mind that modern monitoring systems use more than just SNMP for device monitoring. SNMP is one of the protocols they can use. Until the next video, thanks for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” page 209
“License CC BY 4.0” https://creativecommons.org/licenses/by/4.0/
“Picture: Windows Logo” https://en.wikipedia.org/wiki/Microsoft_Windows#/media/File:Windows_logo_and_wordmark_-_2021.svg
Credits
Trainer: Austin Mason https://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson https://www.pbb-proofreading.uk
