I'd say that not only is it all NOT internal, it is often not run on "specific dedicated backchannel networks". Ask anyone who was a victim of a DDoS that made use of SNMP amplification.
I would agree that it should be internal and should be run on internal-only interfaces/networks but the reality is that that very often isn't the case.
The average ASA is better off than most other devices simply because one must explicitly configure and enable SNMP on it. Too many other devices ship with it enabled, accessible from 0/0, with the default community strings set to "public" and "private". I believe the last abuse@ e-mail I received notifying me of a customer with a device exactly like that was on Saturday.
I would agree that it should be internal and should be run on internal-only interfaces/networks but the reality is that that very often isn't the case.
The average ASA is better off than most other devices simply because one must explicitly configure and enable SNMP on it. Too many other devices ship with it enabled, accessible from 0/0, with the default community strings set to "public" and "private". I believe the last abuse@ e-mail I received notifying me of a customer with a device exactly like that was on Saturday.