3

We have had some issues with accessing certain things through the ISP used by one of our branch offices. They have asked us to allow them SNMP polling access to our Cisco ASA 5505 in order to check bandwidth use there. I am not sure exactly what they expect to get from this, but I want to help them solve our problem without being disruptive.

So my question is, what is the risk of allowing our ISP SNMP polling access to our ASA?

dunxd
  • 9,632
  • 22
  • 81
  • 118
  • 3
    This puzzles me. They should know your bandwidth usage from whatever hardware your ASA is connected to. Or they're useless, and don't monitor their own hardware. – Tom O'Connor Sep 13 '11 at 11:33
  • Sometimes you have to work with what you've got. To not cooperate with them on this would mean they may not cooperate with something else... – dunxd Sep 13 '11 at 14:05
  • I hate to be an alarmist but there's no way in hell I would give my ISP access to my firewall or any other piece of my equipment. Sure, you could create a READ only community specifically for them but as Tom stated, they should be able to collect the relevant info from their end. The utilization on your end of the link should match the utilization on their end of the link, and as such, they ought to be able to gather all the info they need from their end. – joeqwerty Sep 13 '11 at 15:35
  • I get exactly what you are saying, otherwise I wouldn't have asked the question. I'd rather not give them any access, but if I can give them what they want without risk, I'd rather do that than build a brick wall that prevents me meeting my own objectives too. I can't switch ISP over this. – dunxd Sep 13 '11 at 19:39

1 Answers1

5

Two risks: info disclosure and vulnerability exploit. In case you trust your ISP regarding abovementioned issues, and make sure SNMP is only accessible with some whitelisted ISP's hosts, it can be considered ok. But configure it as tightly as possible, of course.

poige
  • 9,448
  • 2
  • 25
  • 52
  • @dunxd, SNMP version is another critical thing. Please consider SNMP v3 only, where the packets can be encrypted. v1 or v2c is too weak. – Lex Li Dec 27 '11 at 02:44