My lackadaisical work ethic, and skinflint hatred of spending money, has FINALLY PAID OFF!
Network Management Systems are far more easily attacked than previously reckoned, according to new research by Rapid7. The firm behind the popular Metasploit penetration testing tool warns that vulnerabilities in systems used to manage network elements (routers, servers, printers and more) offers attackers a “treasure map” of …
It'd take an attacker a few minutes to get nmap installed on a machine and some SNMP management tools, if they aren't already installed as part of the base OS. Refusing to use Network Management software because of the security risk is like gouging your eyes out so an attacker can't blind you. Besides, if an attacker is already far enough into your network that the security of the NM server is a factor, you have already lost.
Of course it is important to consider security in such cases, such as using only SNMPv3 on devices that support it, firewalling devices that only support v1 or v2, and using unique and secure community strings (and not just reusing the same string for everything).
Surely anyone that knows how to use SNMP knows how to implement a simple firewall rule? Can't think of a single reason I'd give anything SNMP write access to.
The M in SNMP is Management, not monitoring despite the fact that monitoring might be the more common use these days. Just as an example I do find managing vlans on cisco catalyst via SNMP quite useful especially when testing things.
Your point about firewalls definitely stands.
"Surely anyone that knows how to use SNMP knows how to implement a simple firewall rule?"
You'd be surprised... I worked with a client a few months ago that had a bunch of Linux-based Web Servers where that they managed over SNMP. They changed the port number, but it was still accessible from the outside.
As for write access, I've seen a lot of cheap layer-2 switches that can only be managed over SNMP. Not much to configure other than VLAN or PoE parameters. There are also a couple of the lower-end work group printers that require SNMP to configure.
"Users of these products are urged to ensure they are running the latest versions of the software."
In these days when even the assumed most bomb-proof (been running for a decade without a problem) programs turn out to have attack vectors, users of any products should ensure they are running the latest versions of the software.
It's also worth pointing out that all of those devices should be protected, too. Even if someone got in they can't do anything if the endpoints are locked down. Are devices configured securely? For instance, are you managing your printers with policy-based print security compliance tools? Are there firewalls in place? Are you monitoring network traffic for anomalies?
Karen Bannan for IDG and HP
Biting the hand that feeds IT © 1998–2021