-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok.... I'm going to have to put on my enterprise management specialist hat here for a minute and make some comments. Most of the bad rap SNMP has comes from engineers that don't understand it, what is, how to configure it, what network and systems management is, etc. This tends to be repeated by the security community without question as something akin to a mantra. SNMP is not in or of itself bad. In fact, it is far and away the most widely used management protocol, with RPC coming in second, and it works bloody well. Taking the analogy of "SNMP is bad. It should be turned off", I could just as easily make the assertation that web services are bad due to the number of issues surrounding them and so they should always be turned off too. This attitude would not be welcome at any e-commerce site that I can think of, however, just as the attitude that SNMP should always be disabled would not be welcome at most networks consisting of more than a few hosts and a single router that I've worked on. This would include networks consisting of several thousands of hosts, with hundreds of network devices. Its just not possible nor practical to turn off SNMP. Its often not possible in even networks consisting of only a few dozen hosts and a few routers when the engineers need more warning of network problems than the boss calling them up wanting to know why he can't access Yahoo. Want to know when your router is running out of buffer memory? SNMP. Want to know if that router is saturated and dropping packets? SNMP. Want to know your switch is dropping a ton of packets on an interface, or that its memory is exhausted and its now essentially a $50 per port hub? SNMP. Do you need to know before these things happen? SNMP. These applications are not just in large companies, either. I've done both very large networks, and rather small ones, sometimes as few as a half-dozen or so hosts and a single router and switch because the company couldn't afford to have their network down. To reiterate: Use a long and complex mixed case alpha-numeric community string for both gets and sets (if sets are needed. CiscoWorks requires the ability to do both gets and sets, as do many management applications in a distributed environment. Also, SNMP is case sensitive, FYI) and *never* *ever* used the default strings Limit SNMP to the internal network if at all possible, though the risks are often overstated when it comes to running it on the external networks If SNMP is required on devices on an external or partner network, set an allowed manager(s) and only accept SNMP to/from this host(s) Push your vendor to migrate to SNMP V3 if they haven't already done so, then implement it along with all the benefits it brings If sets are not required, disable them at the device. Do not depend on an application proxy to protect you. Do not allow SNMP or SNMP-TRAPs into your network from an untrusted network (just as you shouldn't allow any packets originating from untrusted networks into yours except to servers running publicly accessible applications) Rob - -----Original Message----- From: Christopher Vittek [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 5:08 AM To: [EMAIL PROTECTED] Subject: RE: SNMP security Not to agree to have SNMP turned on, I would always turn it off. But, in some large companies that I have noticed is that they use HP Openview. HP Openview uses SNMP for various things. In turn, it does not have to be there, but politics sometimes get the better and you need to find a way to a least secure it somewhat. HP Openview is like many application the will use SNMP, it can use the "gets", but does not have to use the "sets". In this turn you can find a Firewall that can do Application Level Filtering and can allow only SNMP "gets" and not "sets". Chris - -----Original Message----- From: Meritt James [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 8:57 AM To: [EMAIL PROTECTED] Subject: Re: SNMP security Roger, concur, stress, underline, comment on his understatement, ... Why does it HAVE to be on? What is the driving reason (besides "it is neat and everyone has it!")? Ok"[EMAIL PROTECTED]" wrote: > > I'm assuming, even with the complete control that you have, you > need SNMP. If not, and I hate to sound like a broken record, but turn it off. > > If you need it for monitoring, what are the platforms that you have > SNMP enabled on? It's very easy to secure SNMP on a Cisco router, for example, but what else are you using SNMP for? - -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO/nTeua2P6TrxG1EEQKt/gCghs0Dlme07XKGADwMt+jBWjJFlbsAnjVj /5BW71Tyrmr96ynugSCKEeaq =Ms5O -----END PGP SIGNATURE-----
PGPexch.htm.asc
Description: PGPexch.htm.asc
