Support claims we can’t use SNMPv3 to scan cisco switches and routers and closed my months long case without even letting me respond but instead opened an idea for me! Yeahhhh!!! IDEA-17282
I can’t possibly believe that is true. The company literally published a blog post 8 years ago saying SNMPv3 should always be used Simple Network Management Protocol (SNMP) Best Practices | Rapid7 Blog
They authenticate fine but can’t fingerprint the devices properly.
There’s no field within the shared credentials for SNMPv3 “ContextName,” which is required for some devices as they’re hardcoded. I too, have raised this and was presented with an “IDEA.”
I am also disappointed with support. We are a telecom company with a lot of Cisco / Juniper and other network equipment. We can’t use SNMPv3 with strong encryption for network device scanning. I was given ticket IDEA-16558 but it obviously doesn’t help as there are no timelines and / or commitment to implement feature request.
Have you looked at the priviliedge escalation feature we can do with Cisco, where we can add enable options with credentials to get a bit deeper. In this case it would be SSH creds. Cisco Enable / Privileged Exec Support | Rapid7 Blog
The challenge with unsupported features that require an IDEA is that they are not in the tool, so there is little support can do outside of getting you and your company on an IDEA which will hopefully help push it on dev’s radar. The more folks we can get attached to an IDEA the better, so keep submitting them if you have them!
I guess it depends on the use case. if you are a small business it may be OK to give everyone who needs it privileged access. If you are a Telco and want to use Rapid7 for vulnerability scanning of national network (with diverse equipment like Cisco/Juniper/Nokia and so on) then giving scanner privileged access to the whole network is a terrible idea. in case the scanner is compromised the attacker will have access to the whole network. SNMP and its more modern analogue gNMI allows operators to restrict scanner access to relevant views only.
in the end, do you really need priviledged SSH access just to discover software version of network device?
I am pretty sure SNMP is still an option, I’ve just personally found it to be a bit hard to set up so i usually recommend something easier. It looks like Rapid7 did release some updates to it though, might check to see if maybe the IDEA you mentioned possibly led to this not sure: InsightVM Release Notes
