SNMPv1 vs. V2c vs. V3 – SNMP Versions Comparison
ParkView Managed Services
Once upon a time, there was a single version of the Simple Network Management Protocol (SNMP). It was used to monitor and manage all network devices, and those devices used it to communicate with one another. However, over time, different SNMP versions have arisen.
Today, we have SNMPv1, SNMPv2, and SNMPv3. But, what’s the difference, and how does SNMP work within the different variations? Can these different versions coexist within the same network?
Important Components of Different SNMP Versions
Before we explore the different SNMP versions and what each offers, let’s touch quickly on the devices that use them.
What Are SNMP Devices?
SNMP devices include anything connected to your organization’s network. That includes things like:
However, it also includes other components that you might not automatically think of as “devices”, such as:
- CCTV cameras
- Load balancers
Why Is SNMP Important?
Why does SNMP matter? Without this type of network management protocol, no device on the network could communicate effectively with others. In essence, there would be no network. After all, if your server cannot communicate with the router, or the firewall cannot communicate with other devices, there’s no interconnectivity.
However, each SNMP version is different and brings something else to the table. What are the differences? Continue reading below to find out.
What Are Community Strings?
Community strings are the combination of an ID or password with a GET request to access data from your SNMP-enabled devices (routers, switches, firewalls, etc.). SNMP community strings are read-only (SNMPv1 and SNMPv2c) or read-write (SNMPv3) when mastered on your network devices. If you plan on using read-write, you will likely want to use SNMPv3 for security reasons.
What Are ACLs?
Access Control Lists (ACLs) are rule sets that assign permissions to certain users, devices, or traffic types. ACLs can be used to add an additional layer of security to your SNMP configurations, as well as improve network performance by restricting traffic to essential services only.
If you are a Cisco Meraki user, keep in mind that you must whitelist devices for SNMP queries.
We’ll start the discussion with SNMPv1, the initial version.
What Is SNMPv1?
As you might suspect, SNMPv1 is the original version and the oldest. It’s also the easiest to set up since all you’ll need is a plaintext community. However, that ease of setup acts as a weakness today. With only a string of plaintext, even if limited to a range of authorized IP addresses, v1 doesn’t offer much in the way of security. This wasn’t originally a problem because threats had yet to evolve, but in today’s world, it’s simply too much risk.
SNMP Version 1 Vulnerabilities
Many SNMP version 1 vulnerabilities exist. However, one of the key issues is that messages sent across the network are unencrypted. In other words, any bad actor with a packet sniffer can read the community string with little difficulty. Once that occurs, an attacker can create a spoofed IP address and interact with the network.
Next in line is SNMP v2c. What should you know about this version?
What Is SNMPv2c?
SNMP v2c is the second generation of this protocol. However, don’t assume that signifies a major jump in terms of capabilities or security. In reality, v2c only added support for 64-bit systems. This means that it still suffers from all the security vulnerabilities that affected v1, including that messages are sent unencrypted across the network.
Is SNMPv2 Secure?
In a word, no. SNMPv2c is not particularly secure, although it was a slightly better iteration than the initial version.
SNMP V2 Vulnerabilities
Because it is simply a revamped version of SNMPv1, attackers can exploit the same weaknesses and easily gain access to the entire network through a spoofed IP address. It doesn’t help that SNMP V2c devices may ship from the manufacturer with PUBLIC as the community string name. Make sure you are customizing the community strings on your equipment before enabling it on your network.
Now let’s discuss the final version of SNMP, SNMPv3, and how it addresses security vulnerabilities.
What Is SNMPv3?
As the name suggests, SNMPv3 is the third (and final) version of SNMP. It was developed specifically to address the security flaws that were so prominent in the first two generations. It also brought three new elements to the table, including SNMP View, SNMP Groups, and SNMP Users.
Which Encryption Algorithms Can SNMPv3 Use?
SNMPv3 can use several different security encryption algorithms to help create safer networks. These include SHA, MD5, and DES. What’s more, it can use them without requiring a massive amount of system resources, leaving additional resources for other network needs. Note that the security enhancements were the primary reason for SNMPv3’s development, so there are no additional major functionality enhancements.
How Does SNMPv3 Work?
SNMPv3 works very similarly to v1 and v2. Traffic flows across the network from a wide range of sources (devices). SNMP communicates with the entire network and all the devices that comprise that network. In most devices, it comes preconfigured, although some will require that administrators enable it. Once enabled, all devices will begin storing performance statistics.
SNMP is based on the shared resource management model, in that every device contributes to managing the system’s resources. Protocol data units, called SNMP GET requests, are sent to different devices. Those communications are tracked by network monitoring tools and then used to fetch data from SNMP.
SNMP V2 vs V3: Can They Coexist?
Can you use SNMP v2 and v3 on the same network? While both are based on the same underlying principles, you cannot (nor should you want to). They’re best used in different applications. Because of its improved security, SNMPv3 is better suited for use on public and Internet-facing networks.
V2 is best used only on low-risk, internal networks. And, to be clear, if you’re still running SNMPv1, it’s beyond time for you to upgrade to something sounder
In today’s IT environment, threat modeling is an important process for many organizations. When it comes to security requirements, security threats and vulnerabilities, criticality, and remediation methods, there is no right solution for everyone. While SNMPv3 leverages 2-password encryption for increased security, it is not extremely common or easy-to-use. You can use read-only v2c with an ACL to achieve sufficient security without having to work through 2-password encryption on v3.
Put Your Network Management on Cruise Control
From optimization woes to security issues, managing a network can involve many threats and chores that your team may not be equipped to handle. Network management services from a trusted partner are a great way to free up your IT team for more strategic initiatives while maintaining availability.
ParkView Network Management™ brings the tools and expertise to achieve exceptional visibility, performance and intelligence to manage your network in today’s ever-changing IT environment. We allow you to eliminate set-up and implementation procedures by taking advantage of our Enterprise Operation Center (EOC) onboarding team’s product experience and best practices for optimum performance management.