I read that a remote attacker could get into an organization's network infrastructure by abusing Simple Network...
Management Protocol-enabled, or SNMP-enabled, network devices. How can we stop this attack?
Upgrading to SNMP v3 for the highest level of security is not enough to prevent an attacker from abusing SNMP-enabled network devices to get into the organization's network infrastructure from any computer. The attacker could exploit improper role separation, for example.
If a legitimate administrator hasn't separated the roles of users and groups, then all the roles have the same password and the same read and write SNMP permissions. All the users have the same SNMP views of a database called the management information base (MIB).
This flaw would give the attacker unrestricted SNMP views of the entire database. The SNMP view command excludes a list of what MIB objects in the database should be viewed. When SNMP v3 traffic is attacked, the entire network may be impacted.
To stop the attack, US-CERT recommends administrators:
- Configure SNMP v3 to use authpriv, the highest level of security for authentication and privacy on most devices.
- Separate the roles and assign proper credentials for each. SNMP managers are allowed to read traps or alerts that something is wrong in the network from a remote-enabled device. They are denied write permissions.
- Apply access control lists to block unauthorized computers from accessing the device.
- Limit the users' SNMP views of the MIB database according to the roles assigned to the users. The SNMP v3 view command is restricted to the SNMP Object Identifiers that point to MIB objects in the database. All other MIB objects not assigned to a role are shut out.
- Segregate SNMP traffic into a separate network management network, such as out of band. A dedicated network port should be the sole link for SNMP v3.
- Update system images and software as they became available.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to monitor an environment with the Simple Network Management Protocol
Discover how to use the Net-SNMP agent for systems management
Find out what advantages SNMP monitoring tools offer enterprises
Dig Deeper on Network Access Control technologies
Related Q&A from Judith Myerson
Kea, an open source DHCP server, was issued a medium security advisory for a flaw that causes memory leakage in version 1.4.0. Discover the ... Continue Reading
ES&S admitted it installed the insecure remote access program pcAnywhere on election management systems. Learn what pcAnywhere is and what this risk ... Continue Reading
Siemens disclosed six Siclock flaws that were found within its central plant clocks. Discover why three flaws have been rated critical and how threat... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.