SNMP is not only read but write typically.
In it's default configuration, really?
I'd suppose so as well. It depends on the configuration of the SNMP server.
easier to sniff (cleartext).
I thought it's possible to set up SNMP using some encryption by itself, but a quick search didn't found a useful HOWTO neither about SNMP nor encryption nor security... Except "disable if not needed"...
AFAIK, SNMPv3 will support encryption and a decent authentication scheme, but most SNMP implementations out there are still v1 or v2. Actually, I think that the SNMPv3 standard hasn't even been passed yet.
Yep, of course the firewalls restrict it to just one machine, but I would like to make sure that the snmpd will not allow bad things under any cirumstances. Firewalling is quite clear, like always :)
Well, you can never be 100% sure.. (responding to your phrase. "..under *any* circumstances...". And whether things are good or bad depends a lot on the context they happen in.
and maybe using ssh port forwarding or ipsec to encrypt it.
IPSec with each machine is to expensive and won't help, since it the monitor gets compromised IPSec can be used by unauthorized software - same for SSH, so I don't see a big improvement.
Why do you consider IPSec too expensive? As it is, you don't need to do IPSec with all hosts, you can configure it on a host by host basis. In fact, you need to, unless you've got DNSSEC set up, as you need a host-specific authentication entity for each host. Still, it's not much more work than SSH, IMHO. As far as the security offered by IPSec is concerned, IPSec gives you real authentication of the source of IP packets. SNMP uses UDP, which makes the combination of easy source address spoofing and access to configuration commands (SNMP RW) a very risky thing. IPSec can prevent spoofing and keep sniffers from reading your SNMP data as well. Tobias