Closing SNMP gaps

Alert sends companies scurrying to check SNMP traffic and the long list of affected devices

ON FEB. 12, the Computer Emergency Response Team (CERT) went public with a series of vulnerabilities in SNMP Version 1, the widely used standard for system management and monitoring. The announcement, based on the findings of a group from the Oulu University Secure Programming Group in Oulu, Finland, listed weaknesses in SNMP’s trap-handling and request-handling functions that, according to the bulletin, could result in unauthorized access, DoS (denial of service) attacks, and unstable behavior.

But these issues had been common knowledge for quite some time. Nor was there anything new in the recommendations made in the CERT advisory, such as using ingress and egress filtering or turning off SNMP if it wasn’t in use. Those kinds of recommendations were, and still are, standard practice at security-aware organizations.

What was new in CERT’s notice was the availability of the PROTOS test suite, also developed by the Oulu University group, which turned SNMP vulnerability issues from theoretical exercises into practical realities. So in the days following the CERT announcement, many a security administrator could be found downloading the PROTOS tool and taking a close look at SNMP and all the devices that use it. Some exploits have been developed, although none has been made public, as of this writing.

Windows, Solaris, Linux, print servers, routers, switches, storage appliances — the list of affected devices is endless. But it’s not difficult to secure your network perimeter. Simply ensure that your routers and firewalls are filtering SNMP traffic (ports 161, 162, 391, and 1993), filter SNMP traffic from non-authorized hosts, change default community strings, disable stack execution, and segregate SNMP traffic onto its own network.

Easy enough. The hard part is identifying and patching all the systems on your network running SNMP. Attacks against Internet-facing network devices, such as your routers and firewalls, aren’t the real concern; it’s the worms and Trojan horses that get past those perimeter defenses that you must worry about.

Thankfully, several organizations have released free scanners to help companies identify devices running SNMP. For example, the System Administration, Networking, and Security (SANS) Institute has released SNMPing, a tool that scans port 161 on a provided list of IP addresses. (You can request the SANS tool by sending an e-mail to [email protected].) A free tool from Foundstone, SNScan, can scan ports 160, 161, 391, and 1993. (SNScan is available at www.foundstone.com/knowledge/free_tools.html .) And Qualys recently announced that it would provide free network scans to check for SNMP-enabled services and devices.

Of course, companies that regularly perform system audits and security assessments can quickly identify which systems are running SNMP without using any of these specialized tools. That’s why, in the end, the SNMP issue stands as testimony that following best practices is always the most effective means of ensuring security and managing risk.

Source: www.infoworld.com

Related Posts

Trending now

XML APIs for databases
XML APIs for databases
JNDI overview, Part 1: An introduction to naming services
JNDI overview, Part 1: An introduction to naming services
Spotlight dimmed on J2EE launch
News and New Product Briefs (December 20, 1999)