SNMP security

[Jason]

Hi everyone,
We are planning to change the snmp security from read only to read write on
all our servers (w2k and w2k3 ),, include W2K domain controllers.
What are the potential security issues on having SNMP security changed from
Read to Read -write on windows 2000 and windows 2003 servers ?
The reason for the change is that we are pslnning to use Compaq Insight
manager to push out the system BIOS to update our servers.
Any help appreciated.

Jason

 

[Roger Abell]

They still are not on the CIM bandwagon, and so you are
looking at SNMP. IMO the use of SNMP and security
in the same breath is a mistake. SNMP v1 "security"
is not really there as far as I can tell. As such, allowing
relatively open read is much different from allowing
relatively open write.

 

[Hairy One Kenobi]

Hi everyone,
We are planning to change the snmp security from read only to read write on
all our servers (w2k and w2k3 ),, include W2K domain controllers.
What are the potential security issues on having SNMP security changed from
Read to Read -write on windows 2000 and windows 2003 servers ?
The reason for the change is that we are pslnning to use Compaq Insight
manager to push out the system BIOS to update our servers.

"Security" and "SNMP" are related only insofar as they both begin with the
letter "S" ;o)

I would suggest that, if possible, you look at disallowing SNMP traffic from
anywhere other than your chosen servers (i.e. block world'n'dog, but permit
CIM servers).

It seems like an "interesting" way to update the BIOS - I take it that
you've tested everything, to make sure that reverting to a default
configuration won't leave you with a heap of "dead" boxes?

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

 

[Jason]

Thanks both of you Roger and Kenobi for your input:

-What I understand is w2k3 use SNMP v2 but compatible with v1, W2k use snmp
v1? v1 is most vulnerable.
- The S stands for simple not secure , especially when the community names
are hard coded and can be captured in clear text using silent attack like
sniffing.
- Read-write security will put our position even in a worse condition for
attack. Once the community name is discovered / sniffed/ exposed , an
"snmpset" utility can shut down the machines easily.
- I am looking for concurrence from the experts that the risk associated
with SNMP read-write doesn't justify to loosen the security on a harden
system ,leaving this as a back door - while running IPsec is "too much" just
for one purpose.
- If Micorosoft could have their SNMP conform to v3 standard it will be much
better.

Jason

 

[Hairy One Kenobi]

Thanks both of you Roger and Kenobi for your input:

-What I understand is w2k3 use SNMP v2 but compatible with v1, W2k use snmp
v1? v1 is most vulnerable.
- The S stands for simple not secure , especially when the community names
are hard coded and can be captured in clear text using silent attack like
sniffing.
- Read-write security will put our position even in a worse condition for
attack. Once the community name is discovered / sniffed/ exposed , an
"snmpset" utility can shut down the machines easily.
- I am looking for concurrence from the experts that the risk associated
with SNMP read-write doesn't justify to loosen the security on a harden
system ,leaving this as a back door - while running IPsec is "too much" just
for one purpose.
- If Micorosoft could have their SNMP conform to v3 standard it will be much
better.

You missed out one other aspect - SNMP utilises UDP, so it's very easy to
drop a couple of packets in a network snarl-up.

Not a problem for monitoring purposes (I "used" to be a bit of a Unicenter
type for CA, many moon ago, and this invariably came up in the larger, more
dispersed, customers). Bit of a downer if you're no longer sure about your
firmware inventory..

The safest thing is, as I said, to block SNMP from non-approved hosts. Just
make sure that those hosts don't get compromised..!


H1K