Ray Bernard, PSP, CHS-III, is a leading security consultant and author, who over 26 years has led many noteworthy security projects for international airports, nuclear disarmament facilities, sports stadiums, water districts, energy utilities, hotels, manufacturing plants and multiple-tower high-rise facilities (www.go-rbcs.com). Follow him @RayBernardRBCS
As you probably already know, SNMP actually stands for Simple Network Management Protocol. I just can’t help having a passion for it. SNMP is one of the protocols used by the network tool I mentioned in last issue’s column, “Wheels or Electrons,” where we restored a network camera to operation by using the tool to cycle the network port (thus cycling power to the camera), instead of having to roll a service truck.
I am often asked the following question about this network monitoring passion of mine:
Q: Why do you make such a big deal about the SNMP support of leading-name products?
A: Because the opposite of simple is complex, and that’s what supporting medium- and large-scale networked security systems can be if you do not use SNMP.
I know the protocol’s name is intended to convey that it is simple (Wikipedia provides details), but I like pointing out that its use can help make your technology deployment and support work simple as well.
When I talk to vendors, I am looking specifically for SNMP Version 3 support. SNMPv3 added security and remote configuration management elements to the protocol. I ask vendors about the SNMP support of their products partly because I want to see what the vendor’s response is to the question. If they dance around or try to minimize the value of SNMP, that tells me that they are at least slightly out of touch with the network environment of today’s and tomorrow’s deployments. Six years ago, if you had SNMP support in your security system product, hardly any customer was likely to use it — maybe none. That is obviously not the case today.
The most common vendor comment I hear about not supporting SNMP is that “customers are not asking for it.” Supposedly Henry Ford once said: “If I’d asked customers what they wanted, they would have said a faster horse.” However, once customers started seeing horseless carriages, customers did start asking for them. The difference is that Henry Ford’s company led the industry at that time, and other companies followed. By the way, leading network cameras (such as from Axis, Bosch and Pelco) already do support SNMPv3.
It Means More Than You Think
Another reason I ask about SNMP support is because I need to estimate how much time it will take to qualify a product as network-ready, and how much trouble it may be to support it in the network environment. If there is no SNMP support, or if only SNMPv1 is implemented, I know we have some product testing to do. A colleague’s recent experience makes the point. He scanned a security systems network using NMAP, a product name that stands for “Network Mapper.” It is a commonly used open source tool for network exploration and security auditing.
The NMAP scan took ALL of the name-brand megapixel cameras offline. (I’ll call them “Brand X” cameras), and they all had to be manually restarted. When I looked in the Brand X camera data sheets and A&E specs, I saw five network protocols listed, but not SNMP. It was not supported. Of course, that was no surprise to me after the scanning debacle.
This is an example of why my colleagues and I want to see exactly what version of SNMP is supported. We also want to see instructions in the product’s installation guide on setting up SNMPv3. The lack of these is a red flag warning that trouble may be ahead.
When Brand X’s cameras go onto the network, the network security folks have to put the cameras’ IP addresses on the exception list of their network security scanning software. Their cameras are especially vulnerable, which means that specific kinds of network monitoring will be required in order to catch and respond to standards-based network traffic that could disable the cameras. Now consider what protection is needed against malicious network traffic, to which the cameras are seriously vulnerable in many ways. That means network security becomes a very high priority to ensure that the cameras stay online. What network manager would want that kind of product on his or her network? None that I know.
These and other precautions all add time and cost to the deployment. We want to go in the other direction. We want to strengthen our deployments, simplify their support, and include our security system devices in the network monitoring plan. Don’t you?
Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).