And one more comment... SNMP is hated, by every internal security team I
have ever encountered. Security teams love private protocols, hate
standard protocols... why because standard protocols are well
documented. So anytime an internal security team can eliminate
something that is standard/open, they are like a dog with a big bone.
Thus almost every hardware vendor has their own secured and unique
communication protocol implementations, layered protection, for their
respective hardware monitoring agents, including VMware, Dell, HP, IBM,
etc. However, SNMP continues to be used widely and appears indefinitely
be used. :) Why did I mention VMware... because VMware is often
qualified as the 4th big 'hardware' vendor.
-DD
On 04/19/2021 17:31, David C Sips wrote:
To expand on #5, have a look at
http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption
<http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption>.
In a hardened system, I would disable MD5 and DES as they are no
longer considered secure.
David Sips
On 4/19/21 4:15 PM, John Bize wrote:
I'll take a shot at this.
1. For an authoritative reply however, one should probably direct
CIS questions to CIS.
2. However, any reasonable security posture would have you disable
all unused services. This is simply SOP to reduce the attack
surface.
3. As for net-snmp specifically, it's always a good idea to check
the Certs. But depending on the document you are referencing,
that is likely just the SNMP package installed on your system by
default.
4. And finally, SNMP v1 and v2c are insecure and can potentially
(depending on configuration) expose sensitive internal
information to unknown, unauthorized, and unauthenticated actors.
5. If you must use SNMP on a hardened system, use (configure) SNMP v3.
On 19-Apr-2021 3:47 PM, Mike Eggleston wrote:
Why does CIS hardening say to remove the net-snmp package from Linux?
Mike
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
