nanog mailing list archives
Re: Writable SNMP
From: Keegan Holley <keegan.holley () sungard com>
Date: Wed, 7 Dec 2011 11:29:46 -0500
I can see the other comments about interactive commands and bulk read/writes, but what's the harm of doing it on internet connected boxesvs.non-internet boxes. Just about everyone uses snmp reads in the interwebsI think the general feeling is that snmp is udp so it's spoofable and your perimeter acls will never be 100% (or rather, are you willing to risk them not being 100%?)
That's a given even though there's still the string to deny the spoofed traffic someone could cause a fair amount of trouble if they knew what your acl's look like. That being said I don't think I've ever seen a company that doesn't at least use SNMP for billing and basic monitoring and many don't think to block it at their edge. It's hard to convince someone to change something that's been around for years though. SNMP is flawed though and enabling writes just makes it worse.
and as such filters it at their edges and hopefully on each platform.You'dsecure it the same way you'd secure readable SNMP I assume.read is 'painful', write can be downright deadly (to your SLAs).Also, who tests snmp WRITE in their code? at scale? for daily operations tasks?lol, that could be a problem.yea, I bet the number of people that test, at scale/operations-pace, snmp WRITE is countable on a single hand.... (didn't the snmp incident in 2002 teach us something?)Please elaborate.< http://www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtmloh, 2001... memory lag :(
I don't remember hearing about this causing issues in a production network. According to the article you can just filter SNMP by IP which should be in place anyway. It's triggered by some sort of hidden string which would make it malicious, unless I'm missing something. In lieu of a software upgrade, a workaround can be applied to certain IOS releases by disabling the ILMI community or "**ilmi*" view and applying an access list to prevent unauthorized access to SNMP. Any affected system, regardless of software release, may be protected by filtering SNMP traffic at a network perimeter or on individual devices.
Current thread:
- Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)
- Re: Writable SNMP Christopher Morrow (Dec 07)
- Re: Writable SNMP Keegan Holley (Dec 09)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Dorian Kim (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Wes Hardaker (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)
- Re: Writable SNMP Christopher Morrow (Dec 07)
- Re: Writable SNMP Keegan Holley (Dec 09)