nanog mailing list archives

Re: Is my router owned? How would I know?

From: Mikael Abrahamsson <swmike () swm pp se>
Date: Sat, 14 Jan 2006 11:25:42 +0100 (CET)


On Sat, 14 Jan 2006, Alexei Roudnev wrote:

Some Cisco IOS'es have numerous bugs, related to SNMP (I watched few cases,
when all Cisco's 72xx lost configuration becuase of receivbing something
bogus), so SNMP should be filtered out from public internet.

The major problem people forget is that snmp is UDP and if there is anyway what so ever to spoof your management station, someone will be able toupload your config to whereever unless you have tightened down what can bedone via snmp write.

As soon as they have your config they're likely to be able to progressfurther unless you have very tight security.

Also remember that the private key for SSH is in the config so if they getit, ssh offers no protection either.

Rule of thumb: All keys (tacacs keys, snmp communities etc) should beunique for each device, so if someone gets the config, they cannot use theinformation on other devices in your network.


--
Mikael Abrahamsson    email: swmike () swm pp se

Current thread:

RE: Cisco, haven't we learned anything? (technician reset), (continued)
- - - RE: Cisco, haven't we learned anything? (technician reset) Scott Morris (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset) Martin Hannigan (Jan 12)
    - Is my router owned? How would I know? Rob Thomas (Jan 12)
    - Re: Is my router owned? How would I know? goemon (Jan 12)
    - Re: Is my router owned? How would I know? Florian Weimer (Jan 12)
    - Re: Is my router owned? How would I know? Martin Hannigan (Jan 12)
    - Re: Is my router owned? How would I know? Christopher L. Morrow (Jan 12)
    - Re: Is my router owned? How would I know? Joseph S D Yao (Jan 13)
    - Re: Is my router owned? How would I know? Mikael Abrahamsson (Jan 12)
    - Re: Is my router owned? How would I know? Alexei Roudnev (Jan 14)
    - Re: Is my router owned? How would I know? Mikael Abrahamsson (Jan 14)
    - Re: Is my router owned? How would I know? Alexei Roudnev (Jan 14)
    - Re: Cisco, haven't we learned anything? (technician reset) Brett Frankenberger (Jan 12)
  - Re: Cisco, haven't we learned anything? (technician reset) Bill Nash (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset) John Kinsella (Jan 12)
  - Re: Cisco, haven't we learned anything? (technician reset) Gary E. Miller (Jan 12)
  - Re: Cisco, haven't we learned anything? (technician reset) Jay Hennigan (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset) william(at)elan.net (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset) Jay Hennigan (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset) william(at)elan.net (Jan 12)
    - Re: Cisco, haven't we learned anything? (technician reset)y Martin Hannigan (Jan 12)

(Thread continues...)