SNMP Disable

bkizildere · January 13, 2020, 2:21pm

We would like to disable read and write community rather than snmp trap. Can you add this on your roadmap?

Dmitry_Moiseev · January 13, 2020, 11:07pm

Hi,

What exact product do you want this feature for?

Dmitry

bkizildere · January 14, 2020, 6:47am

Hi Dmitry,

Force 190, ePMP2000 and ePMP3000

Best Regards.

Baris

Dmitry_Moiseev · January 14, 2020, 3:07pm

Thanks for the explanation. Is it an option to block it with the firewall?

Thanks,

Dmitry

bkizildere · January 14, 2020, 9:25pm

Hi Dmitry,

Does it have impact on device's performance or not? If not, how can we make it?

Best Regards.

Baris

Douglas_Generous · November 28, 2020, 8:41pm

Snmp only responds when queried so having it availablebis not a burden to the radio. I would leave it as is and just make a very complicated community string.

hci · March 28, 2022, 5:34pm

I would like the option to disable it as well. When setting up a simple PTP etc. one less item to have to create a secure password etc. just disable it.

Douglas_Generous · April 4, 2022, 4:10pm

if you are worried about being hacked via SNMP, then you need to block snmp from crossing your firewalls. You can also utilize the fact that snmpRW can be disabled and still give you access to the valuable data that is not in cnMaestro.

If you have a critical link, snmp can be used to send you real time alerts through traps, cnMaestro does this on a polling basis which is unfortunately very long.

The bemoaning about needing to secure a device that has standard enterprise/service provider features is inane. This is part of any enterprise grade devices feature set and requires good clear understanding of the requirements to protect your network before deployment.
Now write a script to look for any device using the default snmp strings and send a snmp write to them to change the snmp strings and if using snmpv3 the passwords. set it to run every 15mins. block all snmp traffic from crossing edge routers/firewalls and be done with the security issue you perceive.

Eric_Ozrelic · April 4, 2022, 7:13pm

That’s what we do… we firewall SNMP, but we also make a unique complicated community string for each radio.

bkizildere · April 4, 2022, 7:35pm

Why making every config on our network? Why can we make it more complicated? It’s a simple thing, every vendor support this feature and it is also for security ogf device itself.

I know how to do in other ways, this is a customer request from Cambium

Douglas_Generous · April 4, 2022, 7:58pm

request to be able to disable snmp is the same as a request to disable the web gui. Technically to run these devices you do not need either of them as long as you can work with the cli interface until you disable the ssh access.

Its called Simple Network Management Protocol for a reason, its for management of your network and IS an industry standard.

Network security starts with proper understanding of network access. These devices are not meant to have the management interface exposed to the public internet. Proper network designs will ensure both remote access (if needed) and segregation of the management network. This is not a step to be ignored nor go half-heartedly and as others can attest to, this protocol has helped network operators both detect issues and implement corrections when cli nor gui access is possible.