In: Categories » Electronics and communication » Protocols » SNMP risks and security
| SNMP is a protocol to support network monitoring and management. Its use is widespread, and most network monitoring products rely upon it. It runs on UDP ports 161 and 162 (for snmp traps). For the technical details behind SNMP v1, consult RFC 1157. RFC 1441 introduces the various RFCs that make up SNMP v2. SNMP RisksAn SNMP client authenticates to an SNMP agent via a string known as a community name. This community name works very much like a password. UNIX hosts often ship with an SNMP agent enabled by default—so your system could be exposed to SNMP flaws already. Problems with default SNMP installations include · The default read-only community name is "public", and the default read/write community is often "private". Hard coded "passwords" like these have blighted IT security for as long as I can remember. · If the read-only community can be guessed, serious information disclosure issues can crop up. The extent of the data disclosure is dependent on the MIB (Management Information Base). MIBs vary between vendors, but they usually contain the following types of information: network interface settings, network services, current network connections, administrative contacts, and server location. This assists attackers in mapping your network topology (think multihomed hosts), in performing traffic analysis (that is, who is talking to whom), and maybe even in getting some social engineering info. · If the read/write community name can be guessed, you have the problems previously mentioned, but also, now, the attacker can modify the status of network interfaces and even reboot systems. Vendor-enhanced MIBs can allow even more devastating operations. · Access to SNMP agents is not logged by default. You won't notice authentication failures. · Some SNMP implementations, notably Solaris, actually run other SNMP daemons on high-numbered ports. Blocking access on a firewall to UDP port 161 might not be sufficient. Solaris users should check out http://www.ist.uwaterloo.ca/security/howto/2000-10-04.html. Securing SNMP· Decide whether you need SNMP. If your network operations team isn't monitoring servers via SNMP and you're not running any special software that relies on SNMP (some clustering implementations do), then disable it. · Modify the default community strings to be hard-to-guess, random-looking strings. Make them long (at least 10 characters), and, whatever you do, don't use the name of your network supplier! (I've seen this too many times.) · Configure SNMP authentication traps. If someone is trying to guess your SNMP community string, you want to know earlier rather than later. By configuring authentication traps, you can have the agent inform the SNMP master (normally the network management console) when an authentication failure happens. You might think it improbable that someone could guess a long SNMP community string. The savvy attacker will use a tool like ADMsnmp, written by the highly respected outfit ADM. Check out this post to Bugtraq for more info: http://archives.neohapsis.com/archives/bugtraq/1999_1/0759.html.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
The Wireless Internet is not just wireless communications across town or the country. It is also local—sometimes in a home or office building. Wireless LANs are just becoming popular with economically priced wireless Ethernet equipment. Standards such as IEEE 802.11, HiperLAN2, and Home RF are leading the way to untethered communications in-building or outside over small areas. Another important development is the Personal Area Network, also known as Bluetooth. Let’s take a look at each of th...
2. The Domain Concept
The solution to all of these problems is the network domain. In a domain, you only have a single name and password, which gets you into every shared PC and printer on the network. Everyone's account information resides on a central computer called a domain controllera computer so important, it's usually locked away in a closet or a data-center room. A domain controller keeps track of who is allowed to log on, who is logged on, and what each person is allowed to do on the network. When you log onto the domain with your PC,...
3. Duplexing Techniques in Wireless communication systems
Wireless communication systems have evolved through several stages of multiple-access control. The foremost controllable resource has always been the frequency spectrum. Other resources such as time, code, and space were initially manipulated in a very precarious and, therefore, ineffective manner. The early systems operated in the simplex mode in the forward link. Halfduplex systems soon appeared, in which forward link and reverse link shared the same channel. Access control was performed on a push-to-talk basis wit...
4. Wireless Networks (WiFi or 802.11)
Millions of people, have embraced the flexibility of a networking system that involves no wires at alla cordless networking technology called WiFi or 802.11 ("eight-oh-two dot eleven"). (Your Macintosh friends probably call the same thing AirPort, because that's what Apple calls it.) To get onto a wireless network, your PC needs a WiFi transmitter. Almost every laptop sold today has WiFi built in. You can also add it to a desktop in the form of a wireless card or USB adapter; either way, you gain a little antenna. Once...
5. VPN and Tunneling Protocols
Let us discuss the most common and widely used real-world VPN protocols. The growing number of users, the ease of accessibility, and the reduced cost of the Internet connection have introduced a greater need for cost-effective and secure communications without purchase of leased lines. Many companies participated in the development that resulted in the creation of different VPN standards and protocols. We discuss the most common ones here. IPSec IPSec is the most widely acknowledged, supported, and standardize...
6. MOBILE ELECTRONIC MAIL
Electronic mail (email) is the transferring of information messages via an electronic communications system. Initial versions of email could send short text messages of 1 to 3 pages. Email technology has evolved (standardized) to allow file attachments, and new versions of email (such as those using Flash technology) send animation or video clips as email messages. Email messaging is probably the best single reason for users to get connected to the Internet. There were over 400 million email account u...
7. RADIUS Related Tools
The following list includes a few alternative RADIUS servers as well as several utilities for administration and user monitoring of the RADIUS daemon: Cistron. This server has become widely used in the free software community and was written by Miquel van Smoorenburg (miquels@cistron.nl) from the original Livingston source. The home page (http://www.radius.cistron.nl/) contains more information. ...
8. PERSONALIZED COMMUNICATIONS
Personalized communications consist of applications and services that are based on access to and manipulation of the user’s personal data. This includes services such as personal information management, calendar and scheduler management, email messaging, unified messaging, chat, and community participation. Wireless Internet applications will add value to personalized communications by increasing a user’s ability to access personal data while mobile. We’ve all experienced situations where some small piece of ...