SNMP is a protocol to support network monitoring and management. Its use is widespread, and most network monitoring products rely upon it. It runs on UDP ports 161 and 162 (for snmp traps).

For the technical details behind SNMP v1, consult RFC 1157. RFC 1441 introduces the various RFCs that make up SNMP v2.

SNMP Risks

An SNMP client authenticates to an SNMP agent via a string known as a community name. This community name works very much like a password. UNIX hosts often ship with an SNMP agent enabled by default—so your system could be exposed to SNMP flaws already. Problems with default SNMP installations include

· The default read-only community name is "public", and the default read/write community is often "private". Hard coded "passwords" like these have blighted IT security for as long as I can remember.

· If the read-only community can be guessed, serious information disclosure issues can crop up. The extent of the data disclosure is dependent on the MIB (Management Information Base). MIBs vary between vendors, but they usually contain the following types of information: network interface settings, network services, current network connections, administrative contacts, and server location. This assists attackers in mapping your network topology (think multihomed hosts), in performing traffic analysis (that is, who is talking to whom), and maybe even in getting some social engineering info.

· If the read/write community name can be guessed, you have the problems previously mentioned, but also, now, the attacker can modify the status of network interfaces and even reboot systems. Vendor-enhanced MIBs can allow even more devastating operations.

· Access to SNMP agents is not logged by default. You won't notice authentication failures.

· Some SNMP implementations, notably Solaris, actually run other SNMP daemons on high-numbered ports. Blocking access on a firewall to UDP port 161 might not be sufficient. Solaris users should check out http://www.ist.uwaterloo.ca/security/howto/2000-10-04.html.

Securing SNMP

· Decide whether you need SNMP. If your network operations team isn't monitoring servers via SNMP and you're not running any special software that relies on SNMP (some clustering implementations do), then disable it.

· Modify the default community strings to be hard-to-guess, random-looking strings. Make them long (at least 10 characters), and, whatever you do, don't use the name of your network supplier! (I've seen this too many times.)

· Configure SNMP authentication traps. If someone is trying to guess your SNMP community string, you want to know earlier rather than later. By configuring authentication traps, you can have the agent inform the SNMP master (normally the network management console) when an authentication failure happens. You might think it improbable that someone could guess a long SNMP community string. The savvy attacker will use a tool like ADMsnmp, written by the highly respected outfit ADM. Check out this post to Bugtraq for more info: http://archives.neohapsis.com/archives/bugtraq/1999_1/0759.html.