Dec 31, 2012
Recent events regarding exposure of private and personal data and matters of national security underscore how handling of data demands constant vigilance. Risks that were once evaluated and acted on only by security experts in IT departments are now discussed at dinner tables of average citizens around the world.
Our personal data is important to us and to the businesses that serve us. We want them to have access to our data, but only when it serves us – not at any other time or for any other reason. Sharing our data with the right entity, at the right time for a mutually accepted purpose makes our lives better. Anything beyond that makes us cringe. Some of our personal data is already in data stores, in the cloud or some other part of the digital ether, and we have lost control of it. It can be bought and sold for purposes we would never approve. Despite the best efforts of the experts there has been, and will always be, a trade-off between availability and security of data.
The gathering and storage of any data, personal or other, has been given increasingly wary acceptance. This wariness has spilled over and leaked down to collection of information on network devices. IT security administrators, potential customers of meter collection software providers, often question “What is being collected?”
Common, among the objections to imaging device monitoring and meter collection software, is the fear of network security being compromised. Most meter collection software employs Simple Network Management Protocol ( SNMP ) to obtain meters, serial numbers and other image device information.
However, a greater concern to IT managers is potential exposure of information about routers and switches. The data that may be gleaned from these network devices is the real threat to network security. For that reason, some IT security administrators will ‘lock down’ port 161 to block SNMP communication.
The proper use and configuration of SNMP will help assuage the concerns for using it.
SNMP versions 1 and 2 support community strings, the rough equivalent of a password. For convenience, not for security, devices have a default community string ‘public’. That is a well-known default and should be changed when security is a concern. The meter collection software must set its SNMP community string to match the string on the imaging device. Obviously this same suggestion applies to the routers and switches. They must be secured by a community string other than ‘public’. The exception to this rule is the implementation of SNMP v3. If SNMP v3 is configured and used on a device, then SNMP v1/v2 may have to be disabled.
SNMP version 3 has additional security features: authentication, privacy, and access control. For details of these security services the following article by William Stallings, a consultant, lecturer, and author of more than a dozen books on networking is recommended. Dr. Stallings has a PhD in Computer Science from MIT.
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-3/snmpv3.html
With the added protection of authentication and data encryption, the implementation of SNMP v3 should allay the concerns of the most skeptical IT security administrators. Below is another link to an article written by Chris Greer discussing the merits and risks of SNMP, including configuration details to remove risks. Chris is an experienced Network Analyst for Packet Pioneer. You will find this brief article, Is Enabling SNMP Worth the Security Risks?, useful as you consider how you might reduce client concerns about implementing meter collection software.
http://www.lovemytool.com/blog/2012/03/enabling-snmp-worth-security-risks-by-chris-greer.html
The advantage SNMP v3 has over v1/v2 is greater security. The advantage of SNMP v1/v2 over SNMP v3 is simplicity and significantly less network traffic. The flexibility of using combinations of SNMP versions may be desirable to the IT network/security admin. Since the SNMP info for routers and switches is likely to be considered highly sensitive, these devices may be configured with SNMP v3. The SNMP info from printers, scanners and copiers is not particularly sensitive. Hence, they may be configured to use SNMP v1/v2.