I read that a remote attacker could get into an organization's network infrastructure by abusing Simple Network...
Management Protocol-enabled, or SNMP-enabled, network devices. How can we stop this attack?
Upgrading to SNMP v3 for the highest level of security is not enough to prevent an attacker from abusing SNMP-enabled network devices to get into the organization's network infrastructure from any computer. The attacker could exploit improper role separation, for example.
If a legitimate administrator hasn't separated the roles of users and groups, then all the roles have the same password and the same read and write SNMP permissions. All the users have the same SNMP views of a database called the Management Information Base (MIB).
This flaw would give the attacker unrestricted SNMP views of the entire database. The SNMP view command excludes a list of what MIB objects in the database should be viewed. When SNMP v3 traffic is attacked, the entire network may be impacted.
To stop the attack, US-CERT recommends administrators:
- Configure SNMP v3 to use authpriv, the highest level of security for authentication and privacy on most devices.
- Separate the roles and assign proper credentials for each. SNMP managers are allowed to read traps or alerts that something is wrong in the network from a remote-enabled device. They are denied write permissions.
- Apply access control lists to block unauthorized computers from accessing the device.
- Limit the users' SNMP views of the MIB database according to the roles assigned to the users. The SNMP v3 view command is restricted to the SNMP Object Identifiers that point to MIB objects in the database. All other MIB objects not assigned to a role are shut out.
- Segregate SNMP traffic into a separate network management network, such as out of band. A dedicated network port should be the sole link for SNMP v3.
- Update system images and software as they became available.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to monitor an environment with the Simple Network Management Protocol
Discover how to use the Net-SNMP agent for systems management
Find out what advantages SNMP monitoring tools offer enterprises
Dig Deeper on Network Access Control technologies
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading