Security Incidents mailing list archives

Re: Windows 2k SNMP Wonkiness Poll

From: Eric Brandwine <ericb () UU NET>
Date: 13 Feb 2002 23:21:33 +0000

"fj" == Filip Jonckers <fjonckers () Interconnect be> writes:


Having the service installed and having it running are two different
things.

fj> A lot of server installations NEED snmp service installed...

fj> let me give an example:

fj> Compaq Proliant servers installed with NT/win2K should be
fj> running Compaq Insight Agents which are software agents
fj> to monitor/manage the Compaq hardware
fj> Compaq Insight Manager software is used to poll
fj> the status of the agents (using SNMP and some other ports)

fj> problems with hard disk, memory, backplane, temperature ....
fj> can be seen before the major crash happens

These should all be traps.  Sending a trap is always safe.  You might
want to take a good look at your trap host, but your clients are OK.

fj> Stuff like this are vital in an environment with dozens of Proliant
fj> servers installed

We've got thousands of deployed servers.  We're scared.

fj> the same for unix or other environments ....

UNIX mostly.  We're taking a good close look at our trap hosts, and
for some large commercial packages, we're implementing a trap proxy
based on the latest (non-vulnerable) UCD-SNMP package.  It's not a lot
of code, and will protect the things we cannot upgrade or patch.

There is no NEED.  You need to do business and make money more than
you need SNMP.  Evaluate what SNMP means to you (and seperate out
polling vs. trapping), and determine what the consequences are of
losing either or both.  Your network will not stop dead if you turn
off SNMP, it just won't run as smoothly.  You'll have to work harder,
and outages (if any) will be more severe.

Also, I don't recall the results of our Windoze testing, but I believe
that most versions are only vulnerable if the attacker knows the
community string.  Don't trust me on that, verify it for yourself, but
if so, go change your strings now.  That'll help out.  If you're using
public/private, you've got problems.

ericb
-- 
Eric Brandwine     |  Better to remain silent and be thought a fool than to
UUNetwork Security |  speak out and remove all doubt.
ericb () uu net       |
+1 703 886 6038    |      - Silvan Engel
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Windows 2k SNMP Wonkiness Poll Davis Ray Sickmon, Jr (Feb 13)
- <Possible follow-ups>
- RE: Windows 2k SNMP Wonkiness Poll Filip Jonckers (Feb 13)
  - Re: Windows 2k SNMP Wonkiness Poll Eric Brandwine (Feb 13)
  - Re: Windows 2k SNMP Wonkiness Poll Valdis . Kletnieks (Feb 14)