HOW-TO Securely Use SNMP on a BGP/MPLS VPN Network

Let us consider the case of an IP/MPLS Service Provider offering extra-net connectivity, along with access to services. The Service Provider manages its MPLS network and in some cases the Customer Edge (CE) routers. The network operations are made possible by its Operations and Business Support System (OSS/BSS) devices, hosted behind some of its own CE routers. Some value may be added by on-demand services hosted behind CE routers on managed servers. All these components can be managed using SNMP; we will see how to make the components interact safely. SNMP is definitely a great success in network management: it is simple, yet powerful and has proven it. However, it has to be used in a carefully designed architecture. BGP/MPLS VPNs features powerful functionalities that integrate nicely with SNMP security requirements; the point is to use them. The same way SNMP is simple, BGP/MPLS has simple concepts that inherently protect the core network. Keeping things simple also makes sure that more people are likely to understand what the security engineers are trying to accomplish. This way, it would be less likely that some inexperienced engineer opens by inadvertence a large hole in our security architecture because he does not understand it.