How To Encrypt SNMPv1 & SNMPv2c For Government/Corporate Compliance

Both of these SNMPv3 converters give you a modern security upgrade for your older SNMP devices...

You're responsible for keeping your network online and secure. That includes preventing unauthorized access and tampering. You may even be required by management or the government to comply with certain security standards.

You have older SNMP gear that doesn't support encryption

If your network has evolved over time (as every network has), you have a problem: Many of your SNMP-based devices don't support secure, encrypted SNMPv3.

Because encryption is an intensive operation for small hardware, firmware updates won't save you. And you can't simply replace all of your SNMP-based equipment all at once. No one has the budget to simultaneously upgrade equipment that was installed over a 20-year period.

You need a cost-effective alternative to a complete hardware swap-out

You're going to need some amount of new hardware to upgrade to SNMPv3, but you need to be surgical. You can't afford to replace all of your equipment. You need a small number of converter devices that take in SNMPv1/v2c traps from many sources and convert those traps to SNMPv3.

Requirements for your SNMPv3 converter devices:

  1. Accepts inbound SNMPv1/v2c traps from many different source devices (much less purchasing than a complete system swap-out)
  2. Sends SNMPv3 traps to your SNMP manager (messages are secured before forwarding)

Option A: One centralized master station to convert to SNMPv3

The central master station T/Mon LNX converting SNMPv1 & SNMPv2c to SNMPv3.
In Option A, a central master like T/Mon LNX is used to convert traps to SNMPv3. All older SNMP devices will report to this mid-level master. Traps will be converted and forwarded as v3 traps.

One way to meet the two requirements above is to install an intelligent alarm master station that accepts inbound SNMPv1/v2c and translates those traps to SNMPv3. This means you only have to buy one device, install one device, and configure one device. Unless you have a very small network, this is going to be the simplest, cheapest way for you to upgrade to SNMPv3.

There are some limitations to using a single master station:

  • You have a single point of failure. (You can choose to install a redundant pair of masters to address this)
  • You'll still be using unencrypted SNMP until traps reach the central master (Your overall network architecture should be a big factor in your decision. Do you have other security in place to compensate for the SNMPv1/v2c segments?)

Option B: Small fleet of remote SNMPv3 converter devices at your remote sites

Decentralized NetGuardian V16 devices converting older SNMP to encrypted traps.
In Option B, individual remote devices like NetGuardian V16s are used to convert SNMP to encrypted v3 at each individual site. This decentralizes your points of failure and allows for conversion before SNMP leaves each building.

The alternative to a central master station is a decentralized fleet of SNMPv3 converters. These are small devices (typically 1 RU) that can handle a reasonable number of inbound SNMP traps. Because you'll be deploying more than one converter, each one needs to handle just a fraction of your total SNMP traffic.

This decentralized architecture addresses several of the potential problems of a single master station:

  • You'll eliminate the single point of failure. (The loss of a single converter device will have no effect on any other)
  • No unencrypted SNMP leaves the site/area. (With a device in each building/zone, you won't have unencrypted SNMP traffic traveling across any significant part of your network)
  • Remote converters can handle other functions. (You can generally address other monitoring/control tasks using "freebie" included functions on the converter device).

If you can handle the possible one-time increase in purchasing and select Option B - which is still miniscule compared to a total upgrade of all of your SNMP-based gear - you'll gain several advantages over Option A.

Option C: Do Nothing

It's worth comparing Option A and Option B for yourself and your network. Remember, though, that doing nothing might be the most expensive choice of all. Business momentum ebbs and flows. You might be focused on SNMP today, but you're liable to get pulled onto a totally different project tomorrow.

While you're able to focus on SNMP conversion, get a few quotes together. That's what it takes to get funding (or at least get something into your next budget).

Be Proactive: Get a Quote

At DPS, we receive many quote requests after "Do Nothing" comes back to bite you. You have no reason not to be proactive (and maybe you'll manage to impress your boss).

Call us. Chat with an expert for 10 minutes. We'll email you a detailed quote with a custom application drawing. We'll even include a summary of business benefits you can use to justify your project budget.

Call 1-800-693-0351 now for your quote

(or send us a quick online message instead)