Securing SNMP?
Results 1 to 5 of 5

Thread: Securing SNMP?

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Securing SNMP?

    Hello all-

    I am looking through some ISS IS reports and finding that some HP-UX servers are using SNMPv1 and v2; which is showing up as a "High" level vulnerability and susceptible to attack. I know that if SNMP is to be used then SNMPv3 - which as I understand it has authentication and encryption may be the way to go - but has anyone here done that yet?

    I have heard from out IT community that SNMPv3 would be a pain to migrate and that once an upgrade is started, all nodes on the network that use SNMP need to be upgraded at around the same time, otherwise they will be cut off - is this true? Is there better way to secure this service or is it best to just disable SNMP?

    Also IT says they use SNMP to monitor network traffic - mostly for performance and "hearbeat" service from other nodes, like servers.

    Thoughts?

    Thanks!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, v3 is a pain in the arse. However, changing the default comminity string from "public" to something else is a step in the right direction. Most SNMP walkers will enumerate using this default value. Others have a nice library of default community strings by device and manufacturer and it will blast out searching for hits. 90% of the devices I've seen have the default community string set. Kinda makes you wonder.

    I'm using v2 with a community string password scheme. This alone has kept auditors (and Nessus) off my arse.

    Before I go, I will stress this again. A FULL risk assessment needs to be done before you run around willy nilly looking to one off issues that Nessus finds. You need to understand what risk, if any, is posed by SNMP in your environment.

    --Th13

    PS
    Soon I'm going to start billing you $250 an hour.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by thehorse13
    PS
    Soon I'm going to start billing you $250 an hour.
    Hey horse, what's with the discount?

    Cheers:
    DjM

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I'm feeling generous because it's almost time for me to cut out for the day.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Yes, v3 is a pain in the arse. However, changing the default comminity string from "public" to something else is a step in the right direction. Most SNMP walkers will enumerate using this default value. Others have a nice library of default community strings by device and manufacturer and it will blast out searching for hits. 90% of the devices I've seen have the default community string set. Kinda makes you wonder.

    I'm using v2 with a community string password scheme. This alone has kept auditors (and Nessus) off my arse.

    Before I go, I will stress this again. A FULL risk assessment needs to be done before you run around willy nilly looking to one off issues that Nessus finds. You need to understand what risk, if any, is posed by SNMP in your environment.

    --Th13

    PS
    Soon I'm going to start billing you $250 an hour.
    Ok - will check with the SA group on this.

    Also - risk assessment - my management group in auditing is working on that on an international level - I have mentioned getting down to this level of detail and hopefully they will make considerations for this and other areas at the OS/App level.

    I'll have to ask to see if I can put some money in the budget to pay for your services - but they will most likely laugh then slap me, or slap then laugh at me or both. So until I can pay, thanks much for the help!

    Oh wait, I have this: http://www.lardlad.com and this: http://www.playerappreciate.com/pimphandle.asp
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •