Securing SNMP?

[genXer]

Hello all-

I am looking through some ISS IS reports and finding that some HP-UX servers are using SNMPv1 and v2; which is showing up as a "High" level vulnerability and susceptible to attack. I know that if SNMP is to be used then SNMPv3 - which as I understand it has authentication and encryption may be the way to go - but has anyone here done that yet?

I have heard from out IT community that SNMPv3 would be a pain to migrate and that once an upgrade is started, all nodes on the network that use SNMP need to be upgraded at around the same time, otherwise they will be cut off - is this true? Is there better way to secure this service or is it best to just disable SNMP?

Also IT says they use SNMP to monitor network traffic - mostly for performance and "hearbeat" service from other nodes, like servers.

Thoughts?

Thanks!

[thehorse13]

Yes, v3 is a pain in the arse. However, changing the default comminity string from "public" to something else is a step in the right direction. Most SNMP walkers will enumerate using this default value. Others have a nice library of default community strings by device and manufacturer and it will blast out searching for hits. 90% of the devices I've seen have the default community string set. Kinda makes you wonder.

I'm using v2 with a community string password scheme. This alone has kept auditors (and Nessus) off my arse.

Before I go, I will stress this again. A FULL risk assessment needs to be done before you run around willy nilly looking to one off issues that Nessus finds. You need to understand what risk, if any, is posed by SNMP in your environment.

--Th13

PS
Soon I'm going to start billing you $250 an hour.

[DjM]

Originally posted here by thehorse13
PS
Soon I'm going to start billing you $250 an hour.

Hey horse, what's with the discount?

Cheers:

[thehorse13]

I'm feeling generous because it's almost time for me to cut out for the day.

[genXer]

Yes, v3 is a pain in the arse. However, changing the default comminity string from "public" to something else is a step in the right direction. Most SNMP walkers will enumerate using this default value. Others have a nice library of default community strings by device and manufacturer and it will blast out searching for hits. 90% of the devices I've seen have the default community string set. Kinda makes you wonder.

I'm using v2 with a community string password scheme. This alone has kept auditors (and Nessus) off my arse.

Before I go, I will stress this again. A FULL risk assessment needs to be done before you run around willy nilly looking to one off issues that Nessus finds. You need to understand what risk, if any, is posed by SNMP in your environment.

--Th13

PS
Soon I'm going to start billing you $250 an hour.

Ok - will check with the SA group on this.

Also - risk assessment - my management group in auditing is working on that on an international level - I have mentioned getting down to this level of detail and hopefully they will make considerations for this and other areas at the OS/App level.

I'll have to ask to see if I can put some money in the budget to pay for your services - but they will most likely laugh then slap me, or slap then laugh at me or both. So until I can pay, thanks much for the help!

Oh wait, I have this: http://www.lardlad.com and this: http://www.playerappreciate.com/pimphandle.asp