Re: SNMP security
From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 02/09/05
- Next message: Mike H.: "Re: Mobile Users and Domain Password Management"
- Previous message: Paul Wicks: "Re: RRAS Monitor"
- In reply to: Jason: "Re: SNMP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Feb 2005 16:25:38 GMT
"Jason" <jasons@hotmail.com> wrote in message
news:upLadKjDFHA.960@TK2MSFTNGP09.phx.gbl...
> Thanks both of you Roger and Kenobi for your input:
>
> -What I understand is w2k3 use SNMP v2 but compatible with v1, W2k use
snmp
> v1? v1 is most vulnerable.
> - The S stands for simple not secure , especially when the community names
> are hard coded and can be captured in clear text using silent attack like
> sniffing.
> - Read-write security will put our position even in a worse condition for
> attack. Once the community name is discovered / sniffed/ exposed , an
> "snmpset" utility can shut down the machines easily.
> - I am looking for concurrence from the experts that the risk associated
> with SNMP read-write doesn't justify to loosen the security on a harden
> system ,leaving this as a back door - while running IPsec is "too much"
just
> for one purpose.
> - If Micorosoft could have their SNMP conform to v3 standard it will be
much
> better.
You missed out one other aspect - SNMP utilises UDP, so it's very easy to
drop a couple of packets in a network snarl-up.
Not a problem for monitoring purposes (I "used" to be a bit of a Unicenter
type for CA, many moon ago, and this invariably came up in the larger, more
dispersed, customers). Bit of a downer if you're no longer sure about your
firmware inventory..
The safest thing is, as I said, to block SNMP from non-approved hosts. Just
make sure that those hosts don't get compromised..!
H1K
> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
> news:l76Od.139$bc1.55@newsfe3-win.ntli.net...
> > "Jason" <jasons@hotmail.com> wrote in message
> > news:OzymMvmCFHA.3888@TK2MSFTNGP09.phx.gbl...
> >> Hi everyone,
> >> We are planning to change the snmp security from read only to read
write
> > on
> >> all our servers (w2k and w2k3 ),, include W2K domain controllers.
> >> What are the potential security issues on having SNMP security changed
> > from
> >> Read to Read -write on windows 2000 and windows 2003 servers ?
> >> The reason for the change is that we are pslnning to use Compaq Insight
> >> manager to push out the system BIOS to update our servers.
> >
> > "Security" and "SNMP" are related only insofar as they both begin with
the
> > letter "S" ;o)
> >
> > I would suggest that, if possible, you look at disallowing SNMP traffic
> > from
> > anywhere other than your chosen servers (i.e. block world'n'dog, but
> > permit
> > CIM servers).
> >
> > It seems like an "interesting" way to update the BIOS - I take it that
> > you've tested everything, to make sure that reverting to a default
> > configuration won't leave you with a heap of "dead" boxes?
> >
> > --
> >
> > Hairy One Kenobi
> >
> > Disclaimer: the opinions expressed in this opinion do not necessarily
> > reflect the opinions of the highly-opinionated person expressing the
> > opinion
> > in the first place. So there!
> >
> >
>
>
- Next message: Mike H.: "Re: Mobile Users and Domain Password Management"
- Previous message: Paul Wicks: "Re: RRAS Monitor"
- In reply to: Jason: "Re: SNMP security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
