Secret agents: Make SNMP work for you

Blogger Mark Underwood lays out the ways you can use SNMP agents to monitor network devices, and even set it up to send software alerts as well.

Out there, working for you, are agents. Feed them a little port UDP/161,162 and they'll deliver a dossier on many network devices, in the form of a Management Information Base (MIB).

Just got hired after the last network administrator got promoted to CIO? Grab a free network management tool that has an SNMP (Simple Network Management Protocol) agent listener (SpiceWorks, Net-SNMP, NetXMS, Nagios, Zenoss and many more), then head over to the local Wi-Fi-enabled coffee establishment. Chances are good you'll have charts and diagrams to visualize what you've gotten yourself into.

SNMP considerations

Here's a list of pros and cons for using SNMP agents, which I'll discuss in more detail below.

  • Intrusion tripwires
  • Quick network overview
  • Indispensible for switches representing¬† single point of failure
  • Proactive warnings for failing hardware
  • Enable performance monitoring
  • Detect software failures and anomalies
  • Best practice for industry standard, interoperable device descriptions with ontologies
  • False Positives
  • Log management
  • Too much information; can't see the forest
  • Complex monitoring environment
  • Configuration Management
  • Agent authentication and default public settings
  • Multiple agent message formats

SNMP basics

The basic notion of SNMP is that of an agent-based notification system. Each device, even many low level switches and printers, is equipped with an agent ready to do your bidding. The notification, or "trap," can be generated by an agent developed by the device manufacturer, or listener software can monitor systems for specific events, such as particular items of interest in an event log, and send traps to an SNMP trap handler or other network management tool.

SNMP can be thought of as one framework within a number of overlapping frameworks that include Microsoft Windows Management Instrumentation (WMI), the Web Based Enterprise Management (WEBM) and the Common Information Model (CIM). CIM has evolved into an entire object model that DMTF describes using graphical language taken from the Unified Modeling Language (UML).

SNMP does Windows or Linux

Microsoft has fully embraced the CIM model in WMI. For example, open a command window on many Vista, Windows 7, or Server 2008 machines and type:

winrm enumerate wmicimv2/Win32_ComputerSystem
The tool will list a machine's basic hardware information such as the motherboard manufacturer, but also Domain membership, status of the administrative password, server roles, current user name, machine name, boot options, and more. Using WMI, you can deck out the walls of your cubicle with ample justification for upgrading the server farm. Figure A shows such SNMP-enabled charts. Similar monitoring capabilities are available for Linux. For instance, the free WebNMS product implements an SNMP agent but also offers management through HTTP.

Figure A

Click to enlarge.
Windows Graphs from SNMPBOY.MSFT.NET

Worth the effort and cost?

The hurried and harried network administrator would be right to question how much effort to put into studying SNMP and related topics. The Distributed Management Task Force (DMTF), primary custodian of knowledge about SNMP and related topics, insists that its tutorial documents are suitable for "management application developers, instrumentation developers, information technology managers and system administrators." That may be over-reaching. Scott Neumann of the CIM Road Map Task Force describes CIM as "the most developed and widely accepted model for describing an electrical network." That said, the subject is as deep and as complex as big or heterogeneous networks can get.

SNMP for software?

Here's where the fun begins. SNMP agents are not only for physical gadgetry. For instance, Oracle Enterprise Manager (OEM) can be tweaked to respond to alerts from Oracle VM, Oracle Database, or Fusion Middleware. The use case Oracle offers is its Contact Center Anywhere (CCA) application. Oracle walks prospective SNMP users through useful telephony-related traps, but also straightforward problems such as software license failures, "Malicious Call Trace," Automated Call Distribution Voice Mail, etc. These examples show how an application could be engineered to help managers understand its performance, to automatically escalate certain conditions, or to implement enterprise-specific workflow. These could result in exciting improvements in the way software is designed.

Be advised that there is risk in this Spy-vs-Spy world. SNMP's original designers were a trusting lot, and security seemed to have taken a back seat to disclosure.  SNMP "community strings" function as passwords between the manager and the agent. The community string appears in every packet sent between them. Don't risk having your SNMP agents become double agents. Don't accept the default values of "public" or "private" for community strings. "Private" is especially problematic as it may permit an attacker to modify a device's configuration. When it makes sense to do so, and when the device allows it, limit which IP's are permitted to access SNMP agents. While not all network devices support it, SNMP Version 3 features improved agent encryption, which reduces the risk of man-in the-middle network attacks that could not only discover how to get out of your DMZ but could potentially reconfigure devices.

Buyer beware tips

A comprehensive buying guide is beyond the scope of this brief post, but here are a few important tips to get you started:

  • Keep in mind that even a small network will have hundreds, even thousands of "devices." If pricing is based on a device count, round up. Way up.
  • "Automatic Network discovery" is great in principle, but it assumes everything is going your way - i.e., that both agent and manager can see one another.
  • There are hosted as well as internally managed solutions for SNMP monitoring.
  • Your time investment will add up. It won't necessarily be all in one sitting. Prepare to invest serious time in making use of SNMP alerts. If you're on a project schedule, the community / commercial options can be a way to get help without a big investment.
Recommended readings

  1. tutorial on the DTMF Common Information Model.
  2. SNMP Penetration Testing Technical Note from SANS Institute.
  3. TCP/IP Guide's entry on SNMP Version 3 (SNMPv3).
  4. Cisco's Guide to SNMP.

Get the PDF version of this post here.