The SNMP Read-Only Community String is like a user id or password that is sent along with each SNMP Get-Request and allows (or denies) access to a router's or other device's statistics. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply ignores the request and does not respond.
Most network vendors ship their equipment with a default password of "public". (This is the so-called "default public community string".) Many network administrators change the community string to keep intruders from getting information about the network setup. This is a good idea. Even if it's only read-access, an intruder can learn a lot about a network that could be used to compromise it.
If there's a "read-only community string", you might also expect to have one that would allow you to write to the device. There is, and it's called a "read-write community string". There is also a SNMP Set-Request, sent to set a certain SNMP MIB object (OID) to a specified value. The read-write community string protects the device against unauthorized changes. (The read-write community string should never be set to 'public'!). Many SNMP-speaking devices also have IP address filters that ignore requests (read and write) unless the source address is on an access list.
There's also a SNMP Trap, which is an unsolicited message from a device to an SNMP console (such as Intermapper) that the device is in an interesting or unusual state. Traps might indicate power-up or link-up/down conditions, temperatures exceeding certain thresholds, or high traffic, for example. Traps provide an immediate notification for an event that might otherwise be discovered only during occasional polling.
What Are SNMP Versions?
Intermapper can retrieve data from devices using SNMP version 1, version 2c, or version 3. Each of these can access the same SNMP information, but through different means:
- SNMPv1 was the original version, and provided a simple means for retrieving data. Security was provided through community strings that acted like a password to allow or deny access to the information. The Read-Only community string gave permission to the requester to read data; the Read-Write community string gave permission to modify data. All data transmissions (including the community string) were sent "in the clear", that is, unencrypted.
- SNMPv2c provided additional, more efficient methods to request data, and added new data types (such as 64-bit counters) so that the monitoring system could get more accurate data. SNMPv2c is like SNMPv1 in that it uses the same community string system, and transmits data in the clear.
- SNMPv3 provides the same data retrieval facilities as SNMPv2c, with additional security. There is a secure method of providing authentication information (so the device knows whether to respond to the query or not), as well as a privacy function that encrypts the entire transmission so that eavesdroppers cannot discern the data.
Community String Types
There are actually three community strings for SNMPv1-v2c-speaking devices:
- SNMP Read-only community string - enables a remote device to retrieve "read-only" information from a device. Intermapper uses this information from devices on its maps.
- SNMP Read-Write community string - used in requests for information from a device and to modify settings on that device. Intermapper does not use the read-write community string, since it never attempts to modify any settings on its devices.
- SNMP Trap community string - included when a device sends SNMP Traps to Intermapper. Intermapper accepts any SNMP Trap community string.
By convention, most SNMPv1-v2c equipment ships from the factory with a read-only community string set to "public". It is standard practice for network managers to change all the community strings so that outsiders cannot see information about the internal network. (In addition, network managers may employ firewalls to block any SNMP traffic to ports 161 and 162 on the internal network.)