Article

Users share their SNMP worries

Edward Hurley, Assistant News Editor

Networking and security professionals are taking the security flaw in the Simple Network Management Protocol (SNMP) seriously, an informal survey by SearchSecurity has found.

Last month, the Computer Emergency Response Team (CERT) at Pittsburgh-based Carnegie Mellon University announced a security flaw in SNMP. The protocol allows users to communicate with network devices, like printers, routers and servers, but the flaw could allow attackers to gain control of systems.

SNMP POLL RESULTS
SearchSecurity recently polled its members on how bad cleanup of the SNMP vulnerability would be in their respective companies. Close to 70 members participated over the course of five days. Here are the results:

How bad is cleanup of the SNMP vulnerability going to be in your company?

A real pain (27 votes) 39%

Easy, but tedious (16 votes) 23%

Don't know (10 votes) 14%

A breeze (9 votes) 13%

We don?t have any SNMP products (7 votes) 10%

69 votes


Links to related information:

    Requires Free Membership to View

SearchSecurity news exclusive: "SNMP flaw is serious, fix isn't easy"

Best Web Links on infrastructure and network security

SearchSecurity infrastructure and network security expert

CERT's alert was released before some vendors had produced patches for the vulnerability. But virtually all users contacted by SearchSecurity said their vendors were forthcoming with them.

"Let's face it, the CERT advisory that announced the vulnerabilities received a good amount of press," said Kevin Schmidt, lead software engineer at GuardedNet of Atlanta. "It's not going to be easy for a company to hide it if they have buggy SNMP software."

The Oulu University Secure Programming Group (OUSPG) in Finland found the vulnerabilities in version 1 of SNMP. The group notified CERT of the flaws last year. No reports of the vulnerabilities being exploited have surfaced.

To aid the creation of patches, vendors had the PROTOS SNMP attack tool developed by OUSPG to test their products. The tool can be used to assess SNMP weaknesses.

Yet, even if a company has a patch ready, installing it on all the devices may not be possible in a timely fashion, Schmidt said.

"So a company may decide to turn off SNMP on a router or use routing tricks that allow only traffic from known hosts (typically only management stations) access the router's SNMP agent," Schmidt said. "Once all the routers have been upgraded, then network management can resume as normal."

But some users didn't wait for their software vendors to release a patch before doing something. "We've installed router filters that limit SNMP access. We've done some more things behind the scenes too," said Elbert LaGrew, network services manager with the Minnesota Department of Health. "You can't be too careful about any vulnerability."

The SNMP flaws found were specific to SNMP v.1. The newest version of the protocol, SNMP v.3, is much more secure. "We've considered it. However, many of the processes we have in place are v.1 specific. We need to plan a migration very carefully," LaGrew said.

Many users, however, find the early version, which dates back to the pre-Web days of the late '80s, still works fine for them. Moreover, migrating to SNMP v3 is tricky, as a lot of products don't support it.

"Most of my network and security software doesn't require it. Why install something you don't use?" said Greg Kilgore, owner of Network Wizards in Keizer, Oregon. "Besides it's just another security hole that I must patch or plug."

Some users have denied SNMP at border firewalls for some time. "It has never been truly secure," said Stan Hoffman, senior network engineer for Houston-based RealEC Technologies, an e-commerce firm.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: