- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: SNMP warning from CERT yesterday posted 02/14/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

On Wed, 13 Feb 2002, Matt Wagner wrote:

> right.  Sorry, I forgot to state that the initial warning recommended
> turning off SNMP entirely.  Subsequent warnings took into account that we
> can't just do that, but warned of a failure of a configured ACL to actually
> filter the SNMP traffic (with no explicit reason why).

SNMP uses UDP.  Because there is no three-way handshake with random
sequence numbers as with TCP, it is trivial to spoof the source of a
UDP packet.

So, in addition to configured ACLs limiting SNMP to defined machines
that really need it, ACLs at your borders filtering traffic that claims
to originate within your network are a good thing.  Likewise as a good
neighbor (unless you're providing transit) you should filter traffic
leaving your network that claims to originate elsewhere.

The advisory also suggested disabling UDP port 7 (echo) to prevent bouncing
an SNMP packet off of a host allowed by any ACL in place.

And, for heaven's sake, don't use "public" for RO and "private" for RW !

Jay Hennigan - CCIE #7880 - Network Administration - jay@xxxxxxxx
NetLojix Communications, Inc.  -
WestNet:  Connecting you to the planet.  805 884-6323
Comercial lab list:
Please discuss commercial lab solutions on this list.
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab