RE: SNMP security

From: Robert D. Hughes (rob@robhughes.com)
Date: 11/15/01


Subject: RE: SNMP security 
Date: Thu, 15 Nov 2001 15:37:01 -0600
Message-ID: <B95B566BD245174196CA4EE29E581883092DA6@HEXCH01.robhughes.com>
From: "Robert D. Hughes" <rob@robhughes.com>
To: "Christopher Vittek" <c.vittek@home.com>, "JC" <jchaser@yahoo.com>, <security-basics@securityfocus.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

True, but only if you're running a firewall that supports a SNMP proxy,
and that proxy supports filtering of commands. If your firewall is of
the packet filter variety or the proxy is just a circuit level proxy,
you won't be able to do that. Let's hope more vendors start supporting
SNMP V3 soon, and that they actually implement it in a way that works
and is at least fairly uniform.

Rob

- -----Original Message-----
From: Christopher Vittek [mailto:c.vittek@home.com]
Sent: Thursday, November 15, 2001 1:09 PM
To: Robert D. Hughes; JC; security-basics@securityfocus.com
Subject: RE: SNMP security

I dont if this would tie in. If you have a firewall you can secure SNMP
a
little more by allowing the firewall to do Application Level securing
and
allow SNMP gets while disallowing sets. This might help in securing
SNMP a
little more.

Chris

- -----Original Message-----
From: Robert D. Hughes [mailto:rob@robhughes.com]
Sent: Tuesday, November 13, 2001 11:00 PM
To: JC; security-basics@securityfocus.com
Subject: RE: SNMP security

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This was just posted to the list Monday, but I'll go ahead and repeat it
and see if the moderator passes it.

As far as SNMP, use a long string of mixed alpha-numeric characters for
your community string and set explicit rules to only allow it to the
required devices along with the associated replies in addition to traps
from any required devices. SNMP, other than V3, does not support
encryption or authentication, and most devices and management
applications do not support SNMP V3. A few do, such as OpenNMS or
Openview Network Node Manager with the SNMP Research security pack.
However, devices have only very recently started to support SNMP V3,
such as Cisco in a recent IOS release, NET-SNMP, and a few others. Also,
for monitoring purposes, all community strings should be set to RO. If
sets (RW) are required, limit it to internal devices and set the allowed
managers to a single internal source.

Rob

- - -----Original Message-----
From: JC [mailto:jchaser@yahoo.com]
Sent: Monday, November 12, 2001 3:07 PM
To: security-basics@securityfocus.com
Subject: SNMP security

Hi Folks,

SNMP security has been stated as one of the biggest
security holes in companies networks today. I would
like to ask all of the gurus out there what are you
doing in your organization to secure SNMP. If you had
a network where you were given complete control and
you didn't have to accomidate anyone what would you do
to secure SNMP?

JC

__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA+AwUBO/HsTua2P6TrxG1EEQKDHwCbBNFiporBIvnVwMOkgzSENSB+JToAljES
Pm1V0FcyvToJN+Ptc3CQAhI=
=VNKh
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO/Q1fea2P6TrxG1EEQIz8QCdHFdvP3GcfQz3E/3PYFzGS8ZHrRsAnRn2
+GzqsxUyZG0ffxl3vb2oSSh9
=gkEA
-----END PGP SIGNATURE-----






Relevant Pages

  • RE: SNMP security
    ... Subject: SNMP security ... True, but only if you're running a firewall that supports a SNMP proxy, ... However, devices have only very recently started to support SNMP V3, ...
    (Security-Basics)
  • RE: SNMP security
    ... Subject: SNMP security ... If you have a firewall you can secure SNMP a ... doing in your organization to secure SNMP. ...
    (Security-Basics)
  • RE: SNMP security
    ... Subject: SNMP security ... If you have a firewall you can secure SNMP a ... doing in your organization to secure SNMP. ...
    (Security-Basics)
  • Re: SNMP security
    ... Subject: SNMP security ... If your reading or writing to and from network objects using SNMP (ie cisco ... to manually configured into the routers ACL (username is still sent in clear ...
    (Security-Basics)
  • [fw-wiz] re: Squid Proxy
    ... others have pointed out Squid tools, ... Squid has supported SNMP for awhile, ... proxy, you may be better off analyzing firewall logs... ...
    (Firewall-Wizards)