This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I have two GS108T and two GS310TP. I successfully use SNMP to monitor the GS108T via snmp public community string without password.
How do I use/configure SNMP public access to the GS310TP? I cannot create any configuration using "public" community strings, because it tells me "Error: Default public and private community strings are not allowed."
on the GS108T I can add/change snmp settings using "public" community strings without restrictions.
so, how do I use SNMP readonly access to the GS310TP using "public" community string. I could not find any hint within the manual.
Re: GS310TP SNMP how to use public community string
Using the common default public and private community strings is considered a major security risk, thus depreciated, prohibited, and disabled if set in place. What's the point of not changing to something more effective?
Re: GS310TP SNMP how to use public community string
Using the common default public and private community strings is considered a major security risk, thus depreciated, prohibited, and disabled if set in place. What's the point of not changing to something more effective?
Using the common default public and private community strings is considered a major security risk, thus depreciated, prohibited, and disabled if set in place.
ok, why?
I agree that SNMP should not be enabled by default, especially no write access. but "public" community string is built-in in many monitoring software.
What's the point of not changing to something more effective?
because "public" is well known!?
I added a community string "publik" for read only access, and I had to change my monitoring software for these two switches only. still I cannot see why "publik" is now more effective, more secure than "public" as SNMP v2c is unencrypted anyway.
I bought these type of swiches to manage configuration. I enabled SNMP on purpose. I know what I'm doing here! there is a HP printer which is monitored via SNMP so I can see data about paper and colors in my monitoring software. this is just my home-office network not some 100ge backbone of a company. forcing me to use some community string other than "public" is security through obscurity, IMHO.
still I cannot see why "publik" is now more effective, more secure than "public" as SNMP v2c is unencrypted anyway.
So who is able to sniff your wired (or for the sake of it the encrypted wirelss) traffic on your network, and then again on your network management VLAN?
Re: GS310TP SNMP how to use public community string
hi schumaku,
please don't take this to seriously. it's just about read access of some network metrics and statistics. it's not compareable to a real admin login.
my point is: why do developers always hard code their decisions into the code/firmware? so we (l)users or sysadmins in my case cannot even configure what we want, because some error message says: "No, you cannot do that, this is bad. I know this better than you."
if I enable telnet login at my internal switches&servers, than because I know what I'm doing! If I configure public servers to use tcp:22 port instead of 60022 than because I know what I'm doing! ok? who are the developers to decide things for me?!
what's the problem with SNMP disabled by default and let sysadmins like me activate it later when needed. if I want it do be unencrypted, it's my choice. if I want it to be v1 not V3 it's my choice too. if the firmware still supports V1, V2 it's my free choice to use it - including the community <name> it's just a name, ok? like a color. it does not do any harm if it's that name or another. only it makes our sysadmin lives easier because thousands of monitoring sysadmins are not forced to change default SNMP public access away from "public" to "publik" - on all devices including monitoroing software!
it was not my choice to build "public" default into monitoring software, but it is convenient as it saves a lot of time. (my time and thousand hours of other sysadmin lifes).
btw. my monitoring software supports md5-96, sha-96, sha-224, sha-256, sha-384, sha-512, cbs-des, aes-128 and I tried some time without success. the manual/help of the netgear switch did not help, so I switched "back" to SimpleNMP v2c because it does what it should, without spending hours of trying. It's just a monitoring access, not some real-time mission critical rocket guidance software, ok? 😉
if someone manages to break into my home-office network, I care least about SNMP or any other traffic on the wire. (important things are encrypted of course)
Re: GS310TP SNMP how to use public community string
Stefan,
The step from the read-only "public" to the read+write "private" is very short.
It's not Netgear's decision to ban "public" "private" or other default security controls like "passwords". Matter of fact, it's an US and California business, and they have to comply with US and California law. FMI: SB-327 Information privacy: connected devices.
The fact that your monitoring or admin software does also default to something st***d does not imply it's a good or smart or clever decision. sometimes we have to change.
I'm not overly happy on Netgear's new password rules either btw.
