RE: snmp vulnerabilities

["Dom De Vitto" <dom () devitto com>]

| -----Original Message-----
| From: keydet89 () yahoo com [mailto:keydet89 () yahoo com]
| Sent: 19 July 2001 18:08
| 
| > As for comments on protecting SNMPv1 with ACL's and obfuscated Community
| > Strings, that is laughable at best. A better solution is to run with SNMPv3
| > using AuthPriv functionality, seems like some of the popular management
| > systems don't yet support v3 capabilities. 
When this is possible, it's obviously the better solution.
 
| Well, I don't see why such a solution would be 
| laughable.  From a business perspective, it 
| doesn't necessarily make sense to keep 
| heapinng layer after layer of 'stuff' on top of 
| the protocol.
> From the business perspective it's easier to upgrade a network
management protocol than secure large portions of intermediate infrastructure.

[snip]
| The issue as I see it is that folks are treating 
| security mechanism in general (SNMP is not a 
| security mechanism) in isolation.  Yes, an 
| obfuscated community string in the UDP 
| packets is laughable in the face of a simple 
| sniffer.  However, it your infrastructure 
| configuration allows for the undetected 
| installation of a sniffer, then you have more 
| things to be concerned with, other than 
| simply the 'safety' of your community strings.  
| If someone has a sniffer, why bother with 
| things like community strings at all, when the 
| admin passwords can be easily collected.

Agreed, but as some people have nuclear weapons,
why bother with front doors?
Because every lock makes the whole job harder.

| Properly configuring and monitoring your 
| entire infrastructure is what can allow things 
| like SNMP and TFTP to run on the network.  

Agreed, but that's unusual, even on banking/military networks.
It's the fences and the gateways that are protected,
not the interior of each 'compound'.

| Network engineers too often say that "security breaks stuff"...and they are 
| definitely correct, particularly when a security 'expert' doesn't keep the business 
| objectives in mind.

Alternatively, when the network engineer doesn't keep
security objectives in mind, security has to be bolted on,
and anything bolted on is ugly and can break.

In a perfect world the information within computers would know
who can and can't access it, and how - without layers like NOSes,
OSes, "encryption" (which is just good obfuscation) etc.

And I would be out of a job....

Dom



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/