Remote Monitoring Learning Center logo
Phone headset
Expert Helpline

SNMP Community String and SNMP Security for Remote Monitoring Devices

Morgana Siggins
Morgana Siggins
Monitoring Specialist

If your network is spread out across a wide area with many unmanned sites, you need SNMP monitoring. It's virtually impossible for you and your team to watch all of your gear without some form of automated monitoring. Your network is too big, and there are too few hours a day to be constantly driving between remote sites - burning both fuel and labor time.

SNMP monitoring is distinct from other forms of monitoring because it uses the SNMP protocol. SNMP stands for Simple Network Management Protocol. SNMP messages are, most commonly, created by an SNMP agent (some kind of gear at your site) and received by a central SNMP manager (a software program, ideally running on its own dedicated hardware platform).

SNMP uses a manager/agent architecture.

This protocol is one of the most popular in the remote monitoring word today because it can bring you many benefits, and there really aren't any significant disadvantages to be wary of.

Of course, using this popular protocol isn't without some threats. Anytime you use something that is common, there will be a larger population of people who are familiar with it. Some of these people may have ill intent. They might use the common knowledge of SNMP to break into your system. There are strong cyber terrorism issues here.

For many years, the lack of security in SNMP was viewed by many as its Achilles' heel. For all its wonderful business benefits, the threat of cyber terrorists and virtual vandals loomed large.

However, SNMP monitoring is no longer without any defenses. SNMP community string is a common security feature in SNMP devices. And there are also some other SNMP security best practices that you should know about.

What is SNMP Community String?

SNMP community string is an SNMP security password that devices need to talk to each other. It's similar to a user id or password that allow you to access your equipment's data.

Your SNMP monitoring device should send the community string along with SNMP requests. If the community string is correct, then your device will answer with the requested information. However, if the community string is incorrect, your device will simply disregard the request and will not respond.

Types of SNMP Community Strings

There are three different kinds of community string:

  1. Read Community

    It allows an SNMP manager to issue Get and GetNext messages.

    A manager asks an agent for data with a Get message, the agent will then send back a GetResponse. The manager might only need that one piece of data, or it can then send a GetNext message - and then another, and then another - to request a full status update.

  2. Write Community

    It allows an SNMP manager to issue Set messages.

    An SNMP manager sometimes has to tell an agent to take action. Some agents have control relay outputs that can be toggled. Others might have beacon lights, backup systems, thermostats, and other things that can be changed with a Set command. This means that a Set message might read as something like "Set thermostat to 21 degrees Celsius" or "Activate backup generator."

  3. Trap Community

    Allows an SNMP agent to issue Trap messages.

    A Trap is an SNMP message issued by an SNMP agent that reports an event. Some events that will trigger a device to send Traps include power outages and security breaches.

Is an SNMP Community String Really Secure?

Although the community string does offer some security, it's only used by devices that support the v1 and v2c versions of the SNMP protocol.

V1, v2c, and v3 are the principal versions of the SNMP protocol.

SNMPv1 was the first version of SNMP. Although it accomplished its goal of being an open, standard protocol, it was found to be lacking key areas for certain applications. Later versions have addressed many of these problems. Smaller RTUs commonly support SNMPv1.

SNMPv2c is a sub-version of SNMPv2. Its key advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend it.

Other advantages of SNMPv2c include:

  • Improved error handling

  • Improved Set commands

Keep in mind, though, that not all devices are SNMPv2c compliant, so your SNMP manager should be downward compatible with SNMPv1 devices. You can also use SNMPv3 mediation devices to ensure compatibility.

Another point to remember is that SNMPv1 and v2c equipment have their default community string set to "public." So, you'll have to change all of your community strings to customized values during the device setup.

Now, SNMPv3 is the newest version of SNMP protocol. Its primary feature is enhanced security.

The "EngineID" Identifier in SNMPv3 uniquely identifies each SNMP entity. Conflicts can occur if two SNMP entities have duplicate EngineIDs. The EngineID is used to generate the key for authenticated messages.

Engine ID uniquely identifies each SNMP device. The Engine ID is used to generate a key that will validate the messages. The key is shared with the right recipients and used to unencrypt received messages.

SNMPv3 security comes primary in two forms:

    1. Authentication

      Authentication is used to ensure that Traps are read by only the intended recipient. As messages are created, they are given a special key that's based on the EngineID of the entity. The key is shared with the intended recipient and used to receive the message.

    2. Privacy

      Privacy encrypts the payload of the SNMP message to ensure that it can't be read by unauthorized users. Any intercepted Traps will be filled with garbled characters and will be unreadable. Privacy is especially useful in applications where SNMP managers must be routed over the Internet.

Unlike earlier versions of SNMP, v3 resists tampering by using message encryption. At security-conscious organizations (especially a government agencies or large corporations), this can render SNMPv1 and SNMPv2c basically obsolete.

The bottom line here is that, although SNMP community strings can offer you some security, the best practice is to have encrypted in SNMPv3.

The NetGuardian 832A is one Example of an RTU that Supports SNMPv3

SNMPv3 support is a standard feature of the NetGuardian 832A G5 RTU, allowing you to monitor all of your SNMP devices with enhanced security via message encryption. The NetGuardian allows you to report alarms in SNMP v1, v2c, or v3, leveraging the full NetGuardian feature set and your existing SNMP manager.

The NetGuardian 832A G5 provisioning tools allow you to set up advanced SNMPv3 applications. Using the "Read and Write Access" field in the NGEdit app or the NetGuardian web interface, you choose which SNMP versions managers may use to communicate with your NetGuardian. By restricting your managers to v3 only, you're requiring them to use that protocol's enhanced security. In environments where security is less of a concern, you can allow all SNMP versions to maximize flexibility.

The SNMP tab in NGEdit allows you to easily access and adjust your v3 settings. In the "Community Names" section, users can adjust the Get, Set, and v3 community strings to be used by the NetGuardian.

This RTU also automatically generates a unique EngineID to eliminate conflicts caused by duplicate IDs. You can modify your NetGuardian's default v3 EngineID for advanced SNMP applications, but this is recommended only for experienced users.

Using SNMPv3, the NetGuardian 832A encrypts its messages with CBC-DES encryption, a part of the Universal Security Model (USM). The encrypted data appears scrambled if it is intercepted, rendering it unreadable by anyone but the intended recipient. This makes SNMPv3 your best option when routing SNMP messages over the Internet. This is ideal for companies with mission-critical infrastructure requiring high security. Even on a secured network, SNMPv3 encryption will provide an additional layer of redundant security.

Also, the 832A supports unique security profiles for up to four users. Each user can be assigned a unique set of security parameters, including authentication and/or privileged access to SNMP.

Do You to Know More about the SNMP Protocol?

If you want to learn more about SNMP, Trap messages, message formats, or any other fundamental SNMP protocol concepts, just download your free copy of The Fast Track Introduction to SNMP.

This white paper is a quick and easy (but solid and foundational) introduction to SNMP that has been created to give you the information you need to successfully implement SNMP-based alarm monitoring in your network. It's an introduction to SNMP from the perspective of telecom network alarm management, with fast specific answers to give you a better understanding of how SNMP monitoring will work in your network.

It summarizes the history and structure of the protocol, and offers some concrete applications for using SNMP in network alarm environments. You'll also see diagrams and read plain-English descriptions that teach you the basics in an intuitive way.

Once you've completed reading this SNMP guide, and if you want more SNMP guides, we have several other options for you - including MIBs, troubleshooting, and SNMPv3 mediation.

Don't hesitate to call one of our SNMP experts to ask a specific question, though. We can offer basic guidance as you learn SNMP, even if you don't need to purchase any new equipment. Although if you decide you're ready to purchase an SNMP RTU, manager, or mediation device, we'd be glad to give you a quote for field-proven gear.

Get a Custom Application Diagram of Your Perfect-Fit Monitoring System

There is no other network on the planet that is exactly like yours. For that reason, you need to build a monitoring system that's the right fit for you.

"Buying more than you need" and "buying less than you need" are real risks. You also have to think about training, tech support, and upgrade availability.

Send me a quick online message about what you're trying to accomplish. I'll work with you to build custom PDF application diagram that a perfect fit for your network.

Don't make a bad decision

Your network isn't off-the-shelf.

Your monitoring system shouldn't be, either.

Customized monitoring application drawing

We'll walk you through this with a customized monitoring diagram.

Just tell us what you're trying to accomplish with remote monitoring.

Get Your Custom Diagram Now
Return to DPS Telecom

DPS logo