D-Link DFL-260E User Manual for DFL-260E - Page 74
Enabling an IP Rule for SNMP, Remote Access Encryption, Preventing SNMP Overload, 4.2. SNMP Monitoring
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 74 highlights
2.4.2. SNMP Monitoring Chapter 2. Management and Maintenance Security for SNMP Versions 1 and 2c is handled by the Community String which is the same as a password for SNMP access. The Community String should be difficult to guess and should therefore be constructed in the same way as any other password, using combinations of upper and lower case letters along with digits. Enabling an IP Rule for SNMP The advanced setting SNMP Before Rules controls if the IP rule set checks all accesses by SNMP clients. This is by default disabled and the recommendation is to always enable this setting. The effect of enabling this setting is to add an invisible Allow rule at the top of the IP rule set which automatically permits accesses on port 161 from the network and on the interface specified for SNMP access. Port 161 is usually used for SNMP and NetDefendOS always expects SNMP traffic on that port. Remote Access Encryption It should be noted that SNMP Version 1 or 2c access means that the community string will be sent as plain text over a network. This is clearly insecure if a remote client is communicating over the public Internet. It is therefore advisable to have remote access take place over an encrypted VPN tunnel or similarly secure means of communication. Preventing SNMP Overload The advanced setting SNMP Request Limit restricts the number of SNMP requests allowed per second. This can help prevent attacks through SNMP overload. Example 2.14. Enabling SNMP Monitoring This example enables SNMP access through the internal lan interface from the network mgmt-net using the community string Mg1RQqR. Since the management client is on the internal network, there is no need for it to communicate via a VPN tunnel. Command-Line Interface gw-world:/> add RemoteManagement RemoteMgmtSNMP my_snmp Interface=lan Network=mgmt-net SNMPGetCommunity=Mg1RQqR Should it be necessary to enable SNMP Before Rules (which is enabled by default) then the command is: gw-world:/> set Settings RemoteMgmtSettings SNMPBeforeRules=Yes Web Interface 1. Goto System > Remote Management > Add > SNMP management 2. For Remote access type enter: • Name: a suitable name, for example snmp_access • Community: Mg1RQqR 3. For Access Filter enter: • Interface: lan • Network: mgmt-net 74