For many of us in security, SNMP this could literally mean “Security – Not My Protocol” for all the use we are getting out of it. What SNMP officially stands for is Simple Network Management Protocol — you may have seen it on a configuration screen for an IP camera or other security device and wondered what it was used for. It really is a pretty useful protocol, and it is time we did something with it.
SNMP is not new; in fact, it is 25 years old. It was originally intended to be replaced by other architectures, but, instead, has evolved in its own right and achieved broad acceptance. Working in conjunction with a range of network monitoring packages, such as HP’s Open View, WhatsUpGold by Ipswitch, and Network Vision’s IntraVue, SNMP can provide a command center or a technician important system information, out of limit or alarm conditions, or the ability to update device parameters. Many security devices support SNMP, but it is rarely used, and when it is, that’s usually done by the same manufacturer’s software or diagnostics.
How It Works
SNMP is based on a model consisting of a manager, an agent, a database of management information, managed objects and the network protocol. The manager provides the interface between the human network manager and the management system. The agent provides the interface between the manager and the physical device(s) being managed. The information to be accessed is stored in a specified format in the device database, known as a Management Information Base (MIB), used by both the manager and the agent.
MIBs contain the parameters to be collected for reporting, captured for notifications or configured by the corresponding management software. Basic commands are “gets” to retrieve desired information, “traps” to trigger alarm or condition notifications, and “sets” for configuration and control. There are three common revision levels, or versions, of SNMP - v1, v2c, and v3. Each succeeding version provided more functionality and, importantly, more security.
Version 2c uses log in information known as Community Read and Write strings, analogous to passwords and requiring change from default values. Information, including configuration commands, are sent in the clear. Version 3 provides for far better security and privacy through authentication (using MD5 or SHA hash) and DES or AES encryption. This becomes particularly important if the managed device has been configured to allow system variables to be remotely set.
Impact on the Security Market
In our industry, there are tens or hundreds of vendors, each with their own unique set of MIBs and only discoverable by software packages that have been configured to look for them. Predictably, their usage is sparse.
So what’s an industry to do? Enter the Standards Committee of the Security Industry Association (SIA), which has recently approved an effort to develop an industry set of standard MIBs. This means that vendors from across the industry will get together to decide those conditions which merit monitoring, capturing or configuring. The kinds of conditions could include such things as loss of video, intensity of video compression, excessively high access card retries, over-current, under voltage, hard disk drive utilization, excessive temperature, loss of pressure and more.
By having a solid set of conditions for which MIBs are defined, it is far more likely that third-party monitoring software will supervise the network and attached security devices. Such software may have the ability to discover devices, identify linkages between them, name devices, examine their status and history, provision IP addresses and reconfigure them.
It is worth noting that implementation of SNMP on the network requires use of bandwidth, depending on the polling frequency, number of devices and additional services, such as ICMP (ping) or RMON, used by the scanning software. Network managers are already concerned about bandwidth consumed by video on their networks. The offset is that network bandwidths are increasing, and, with a security mentality in mind, we will likely be more concerned with alarm information grabbed by the manager than ongoing status, and will adjust polling times accordingly.