SNMP, CERT and media storms

On Feb. 12, I woke up to a USA Today article - top of the business section - on SNMP and, well, terrorism. For a moment I thought I was dreaming.

I read the article twice, after forcing myself to stand up, walk around the room and look out the window - just to make sure I was awake. On second read, the article turned out to be about Finland's Oulu University, which had performed tests that lead CERT to declare (to a bunch of sleepy business travelers) that SNMP implementations were susceptible to denial-of-service attacks.

This seemed like pretty manufactured news to me. Anyone even remotely aware of SNMP knows that security has been a concern for years, especially with Versions 1 and 2. And as it turned out, the test suites in Finland targeted SNMPv1. SNMPv3 addresses security issues, but it is not yet popular and often not turned on by users because, well, security is not easy to administer and can also hurt performance.

The article, and the sudden announcement - which as it turned out occurred a week or so prematurely because there had been a leak - forced an inevitable media storm. Multiple media interview opportunities followed, forcing many of us in the industry to try to ascertain what was real news and what were the lessons to be learned.

The real hard news is that in 20 out of 20 products tested, individual SNMPv1 implementations failed (a failure of implementation, not of the SNMP protocol per se) when the Finnish students tested tens of thousands of "killer packets" against them. "Failure" typically equated to the system crashing or rebooting.

There is a theoretical possibility that a true security breach could occur if a buffer overflow were exploited to achieve an elevated state of privilege by a cyber-terrorist, but this remains more an academic than a proven or reported case. It should be pointed out that other protocol implementations, such as TCP, might also have failed under tens of thousands of killer packet assaults, not just those based in SNMP.

Does this mean SNMP has proven itself to be Internet-unworthy and that another solution such as Web-based Enterprise Management must replace it, or else we will all be playing into the hands of radicals who hate America, capitalism and McDonald's? The short answer is no. SNMP is pervasive, imperfect and incomplete, but then no technology is perfect. SNMP's ubiquity will ensure that it will remain a core part of networked communications for many years to come.

Now the question is, what should you do about it?

* Pay attention to patches. Many users are offered patches by vendors and SNMP providers, and don't bother to deploy them.

* Don't default to "public, public" IP addresses.

* Pay attention to firewall administration. If you have SNMP traffic coming through your firewalls, they should be configured so outside packets cannot reach agents inside. This can be done through filters, so no packet addresses from outside can target SNMP agents behind the firewall. SNMP traffic should be accepted from only very specific sources, with a rule such as: "I am only going to accept packets addressed 'open sesame' from SNMP-based management station x."

* Some management products, such as Tavve's e-Probe, leverage encrypted traffic through firewalls on HTTP to integrate with their overall SNMP-based management system. These types of products enable effective SNMP-based management behind firewalls, with HTTP-based transport across them.

* If you really care about security, consider SNMPv3. There are GUI-based, drag-and-drop products (although not enough) to help empower wary administrators. SNMPv3 represents a significant investment in security - and, unfortunately, security demands some level of administration. If you are one of those many anxious souls who would rather be "un-secure" than risk the embarrassment of trying and failing to implement broader security policies, there are helping hands available.

* Try to train yourself not to think of security as a burdensome afterthought, but as a core part of your management policies overall. If you take that approach, you may discover that security can actually be an "enabler" to effective management, not just a last-minute disabler with noisome restrictions and administrative overhead.

In the end, if the appropriate lessons are learned, this could turn out to be one "media storm" with positive results.

Join the newsletter!

Error: Please check your email address.

More about CERT Australia

Show Comments