I set out this weekend to figure out how to get PRTG Network Monitor to tell me the Internet bandwidth being used by our various machines, and where on the internet all that data is coming from or going to. In order to get that level of detail, I have to enable SNMP and then tack a bandwidth monitor sensor to each device.
SNMP gets a pretty bad rap in the security world. It’s host to its share of vulnerabilities, and the default credential (community string, in SNMP parlance) of “public” makes it obvious it gives up too much info too easily. Every best-practices benchmark or manual will tell you to turn that off or reconfigure it so none of the defaults are taken. More to the point, most modern OS distributions no longer enable it at all by default, and you have to explicitly enable it.
Enabling SNMP with all non-default settings turns out to be a very finicky process. Unless an IT shop is operating at a scale where everything will be built from “golden images,” it is easier to understand why security inspections often find defaults taken. Even though this flies in the face of best practices, the defaults on SNMP agents match the defaults on SNMP sensors. How incredibly tempting to IT managers with thinly-stretched staffs to take zero over the double work of setting sensors and agents up non-default and then testing to make sure they set the exact same non-defaults on both sides?
This doesn’t make it right, but it sure makes it understandable. Any security manager needs to show some empathy when finding things like this in the environment.