After spending time with hundreds of customers over the last couple of years, I’ve noticed a lot of issues regarding SNMP configuration and login credential on access points and controllers.

It’s surprising how many companies are still using ‘public’ and ‘private’ as their production strings!  Since these strings are passed as clear text on the network, not only should they be set to something other than the default strings, but they should be changed on a regular basis as well.  Another tactic that I’ve seen customers use is to have different strings for different devices or to have unique strings for devices in different locations.  For more security, use SNMPv3 on all the devices in your network that support v3.

SNMP v1 and v2 are really not much more secure than the way some kings in the Middle Ages sent their secret messages. They would write the message on the bald head of the messenger, let the messengers’ hair grow out, and then send them to the other King.  This is security by obscurity – it’s better than nothing but is not very effective once someone figures out to shave the heads of all the messengers! If you’re sending your SNMP v1 and v2 settings in the clear, a moderately clever intruder might be able to figure out how to get on your network.  Most enterprise-grade WLAN hardware supports SNMPv3 today… make sure your vendor provides it.

Besides, SNMP issues, I see a lot of customers still using the default credentials for login access.  Not changing the factory default credentials on your network devices is like sending out the messenger without even letting his hair grow out!  The best security in this case is to NEVER use the factory IDs and use a centralized user ID and password source.  Also, while you are at it, make sure you disable telnet and HTTP!  There is no sense in setting a secure authentication scheme to just send it out over the network in the clear.