• If not absolutely need, disable SNMP • Use SNMPv3 with authentication and encryption • If SNMPv1 or v2, make name & password hard to guess crack. • Filter SNMP (port 161 TCP/UDP and 162 TCP/UDP) • Where possible make MIBs read-only.