Skip navigation

Setting Up SNMP

You'll need to set up SNMP on the system on which you'll install JFFNMS. Before you start, you should understand some basic SNMP concepts. First, SNMP uses two general types of network traffic: traps and Get and Set requests. The target device generates trap messages and sends them to the management console(s). For example, in Windows think of a rejected logon attempt that's noted in the Security log as an SNMP TRAP event. This event isn't tied to a specific metric on the device (e.g., CPU utilization, disk utilization) but nevertheless is a noteworthy event that should be monitored. SNMP includes capabilities for devices to report these types of events to one or many monitoring consoles. SNMP uses the Get request to poll a specific device metric (e.g., current CPU utilization, packets per second) and uses the Set request to set a specific device metric (e.g., enable or disable a port on an Ethernet switch).

JFFNMS works best with Get and Set requests because no direct mechanism currently exists to let JFFNMS receive SNMP traps. Besides, I’ve found that monitoring port availability, content checks, service up and down status, and resource utilization on a device greatly reduces the need to monitor SNMP TRAP events.

By default, Microsoft doesn't install SNMP as a standard part of Windows; you’ll need to add SNMP through the Add or Remove Programs applet. If you want to install SNMP on a system that doesn’t already have it, click Add/Remove Windows Components and select the Management and Monitoring Tools component. Click Details, then select Simple Network Management Protocol to install the service on your system. After SNMP is installed, make sure that the SNMP Service is set to Automatic startup on your systems. Don’t worry about setting up the SNMP Trap Service; this is necessary only if you want a system to receive traps, which we don't do here.

After you’ve installed SNMP, you’ll need to configure it so that you can retrieve information from it via Get requests. In the SNMP world, two basic mechanisms secure who can and can’t submit a Get request to one of your devices. The first mechanism is a sort of “shared key” that's commonly referred to as a community string. Community strings typically define what can be done on a device via SNMP. For example, the Read-only community string lets a remote device retrieve information from a device but not modify that information; the Read-write community string lets a remote device read information from a device and modify settings on that device. Any systems that send Get or Set requests to your devices will need to provide a valid community string for the Windows SNMP service to respond; otherwise, the SNMP service ignores the request. Therefore, you should determine an appropriate shared key for your monitoring console and set it at the console. Then set the shared key on your devices by accessing the SNMP service's properties, navigate to the Security tab, and set the appropriate community strings as Web Figure A shows. I use the “public” and “private” community strings here as examples only. Don't use these strings on your devices because they're generally default keys for many standard, out-of-the-box SNMP implementations. I recommend that you choose your own key name. Also, I don’t recommend setting a Read-write community string unless you specifically need its capabilities. For our purposes in learning about JFFNMS, a single Read-only string will suffice.

If you want to add another measure of security to your SNMP configuration, you can complete the lower portion of the dialog box in Web Sidebar Figure 1 and limit which hosts (defined by IP address) may legitimately send SNMP requests to your target devices. Some organizations choose to add this security measure so that they can monitor devices at remote locations over the Internet, simply by opening up the appropriate port for SNMP on their firewall. If you choose to do this, I also recommend you also implement IP address restrictions on your firewall for SNMP. If your firewall doesn’t already have a protocol definition for SNMP, it's a UDP-based protocol running on ports 161 (SNMP) and 162 (SNMPTRAP).

That’s all the configuration you need to do. No third-party agent to install! And no remote logon capabilities are required, which means that you don’t need to open up Microsoft networking protocols to your target devices—an important consideration in security-conscious environments. If you wanted to automate the configuration of these SNMP parameters throughout your enterprise, you could probably do so by replicating the appropriate registry changes to your systems via a Group Policy Object (GPO). The registry information for SNMP configuration is stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters subkey. You’ll find the relevant details in the ValidCommunities and PermittedManagers branches.

One last note about SNMP configuration: After you've activated SNMP, even on a read-only basis, sensitive data about your systems is available to anyone who knows the appropriate community string and can direct a query to one of your servers. Be sure to block SNMP on all perimeter firewalls that secure your network from the outside world.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.