RE: SNMP service

That all sounds pretty standard. There are still a
few risks you want to be aware of and either accept or
mitigate.

SNMP v2 and previous were not encrypted, so the
community "password" and data could be discovered by
an attacker via sniffing. If this concerns you, you
could get around this by using SNMP v3, tunneling
through IPSec, SSL or SSH, etc.

SNMP is largely over UDP where spoofing the source IP
is trivial, so the source IP restrictions only buys
you so much assurance. The encrypted tunneling
methods above also give you improved ability to
confirm the identity of the remote system and more
assurance.

With many SNMP implementations, there is often little
audit logging done to detect intrusions. Host-based
and/or network IDS / IPS may be one way to try to
improve on the logging if desired.

Software vulnerabilities are discovered in SNMP
implementations from time to time, so you may also
want to consider what patch management options you
have or need in order to be able to rapidly push
software updates for various OSes.

All of this is optional, depending on your tolerance
for risk.

regards,

karl levinson


-----Original Message-----
From: kathy.kirk@xxxxxxxxxxxxxx

We could us some guidance regarding SNMP. Below is
the
requirements we were
given and our proposed approach. What if any issues
do you
see with our
approach? Have you implemented something like this
in your
environment,
and if so, how many devices do you have conforming
to a similar
requirement?

Requirements: Using one standard community name,
enable SNMP read
capabilities on all devices supporting
SNMP services
throughout the corporate network,
while
mitigating risk of
any known vulnerability.

Approach: On all supported platforms (i.e. Windows,
Solaris,
Linux, AIX,
etc.) configure the SNMP Service using a
unique
community name
with read only rights and configure the
community
.name to accept
packets from specified trusted hosts.



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: Windows Dienste mit SNMP abfragen
    ... WBEM ist vielleicht nicht durch dieselbe Standardisierungsorganisation verabschiedet wie SNMP, aber sehr wohl ein Standard mit allem Drum und Dran. ... Nils Kaczenski - MVP Windows Server ...
    (microsoft.public.de.german.windows.server.networking)
  • Looking for SNMP COM object
    ... Does anyone know of an SNMP COM object (freeware please) that allows use of ... a port other then the standard 161? ...
    (microsoft.public.scripting.vbscript)
  • Re: Risk Identification for SNMP Testing
    ... Currently working on a team that is doing SNMP testing. ... If the scope of your work is only identifying SNMP risks, ... Are you seeing SNMPv2 retreival requests? ...
    (comp.protocols.snmp)