Saturday, 12 April 2008

Simple Network Management Protocol

SNMP is a great way to manage your network, it has some security risks if not setup correctly, an example of this is what I found the other day I was talking to a systems administrator and I asked the standard questions like what management protocols you run and he replied SNMP and we don't let it pass beyond the firewall so the public internet so its secure.

My eye brow razed as I asked this leaves the question what stops anyone reading the SNMP information from the LAN? Like most people he'd over look the people in the company as being a threat. I then proceed to show him how much information I can collect from SNMP about his network.

You should have on all SNMP network defined hosts for management if these are not defined then you might as well give a network diagram to everyone as it makes it that easy to identify you network layout and therefore use a more targeted attack.

Now on a Cisco you can configure the SNMP quite easy, and here is an example.

access-list 75 remark applies to hosts allowed to gather SNMP info from this router
access-list 75 permit host 14.2.6.6
access-list 75 permit host 14.2.6.18

snmp-server community n3t-manag3m3nt ro 75

Personally I would use version 3 of snmp if you are monitoring just Cisco devices however in a mix environment where you are monitoring both network hardware and network devices such as printers, server and desktops you may have no choice but to run version 2 this use the community string to identify so make your string something special and hard for anyone to guess don't use public and private strings as that’s for test lab only (don’t use them on a live network)

In windows SNMP runs as a service so you have to configure the service as the SNMP agent options are under the service, the option you are looking for is Only Accept SNMP Packets from These Hosts. Selecting this option provides limited security. When the option is enabled, only SNMP packets received from the hosts on a list of acceptable hosts are accepted. The SNMP agent rejects messages from other hosts and sends an authentication trap.

It gives you the same basic function as access list 75 on the Cisco and the number doesn't have to be 75 that just happen to be the first number in my head today.

No comments: