News Stay informed about the latest enterprise technology news and product updates.

Users share their SNMP worries

Users share their SNMP worries

Networking and security professionals are taking the security flaw in the Simple Network Management Protocol (SNMP) seriously, an informal survey by SearchSecurity has found.

Last month, the Computer Emergency Response Team (CERT) at Pittsburgh-based Carnegie Mellon University announced a security flaw in SNMP. The protocol allows users to communicate with network devices, like printers, routers and servers, but the flaw could allow attackers to gain control of systems.

SearchSecurity recently polled its members on how bad cleanup of the SNMP vulnerability would be in their respective companies. Close to 70 members participated over the course of five days. Here are the results:

How bad is cleanup of the SNMP vulnerability going to be in your company?

A real pain (27 votes) 39%

Easy, but tedious (16 votes) 23%

Don't know (10 votes) 14%

A breeze (9 votes) 13%

We don?t have any SNMP products (7 votes) 10%

69 votes

Links to related information:

SearchSecurity news exclusive: "SNMP flaw is serious, fix isn't easy"

Best Web Links on infrastructure and network security

SearchSecurity infrastructure and network security expert

CERT's alert was released before some vendors had produced patches for the vulnerability. But virtually all users contacted by SearchSecurity said their vendors were forthcoming with them.

"Let's face it, the CERT advisory that announced the vulnerabilities received a good amount of press," said Kevin Schmidt, lead software engineer at GuardedNet of Atlanta. "It's not going to be easy for a company to hide it if they have buggy SNMP software."

The Oulu University Secure Programming Group (OUSPG) in Finland found the vulnerabilities in version 1 of SNMP. The group notified CERT of the flaws last year. No reports of the vulnerabilities being exploited have surfaced.

To aid the creation of patches, vendors had the PROTOS SNMP attack tool developed by OUSPG to test their products. The tool can be used to assess SNMP weaknesses.

Yet, even if a company has a patch ready, installing it on all the devices may not be possible in a timely fashion, Schmidt said.

"So a company may decide to turn off SNMP on a router or use routing tricks that allow only traffic from known hosts (typically only management stations) access the router's SNMP agent," Schmidt said. "Once all the routers have been upgraded, then network management can resume as normal."

But some users didn't wait for their software vendors to release a patch before doing something. "We've installed router filters that limit SNMP access. We've done some more things behind the scenes too," said Elbert LaGrew, network services manager with the Minnesota Department of Health. "You can't be too careful about any vulnerability."

The SNMP flaws found were specific to SNMP v.1. The newest version of the protocol, SNMP v.3, is much more secure. "We've considered it. However, many of the processes we have in place are v.1 specific. We need to plan a migration very carefully," LaGrew said.

Many users, however, find the early version, which dates back to the pre-Web days of the late '80s, still works fine for them. Moreover, migrating to SNMP v3 is tricky, as a lot of products don't support it.

"Most of my network and security software doesn't require it. Why install something you don't use?" said Greg Kilgore, owner of Network Wizards in Keizer, Oregon. "Besides it's just another security hole that I must patch or plug."

Some users have denied SNMP at border firewalls for some time. "It has never been truly secure," said Stan Hoffman, senior network engineer for Houston-based RealEC Technologies, an e-commerce firm.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.