RE: SNMP warning from CERT yesterday posted 02/14/2002
On Wed, 13 Feb 2002, Matt Wagner wrote:
> right. Sorry, I forgot to state that the initial warning recommended
> turning off SNMP entirely. Subsequent warnings took into account that we
> can't just do that, but warned of a failure of a configured ACL to actually
> filter the SNMP traffic (with no explicit reason why).
SNMP uses UDP. Because there is no three-way handshake with random
sequence numbers as with TCP, it is trivial to spoof the source of a
So, in addition to configured ACLs limiting SNMP to defined machines
that really need it, ACLs at your borders filtering traffic that claims
to originate within your network are a good thing. Likewise as a good
neighbor (unless you're providing transit) you should filter traffic
leaving your network that claims to originate elsewhere.
The advisory also suggested disabling UDP port 7 (echo) to prevent bouncing
an SNMP packet off of a host allowed by any ACL in place.
And, for heaven's sake, don't use "public" for RO and "private" for RW !
Jay Hennigan - CCIE #7880 - Network Administration - jay@xxxxxxxx
NetLojix Communications, Inc. - http://www.netlojix.com/
WestNet: Connecting you to the planet. 805 884-6323
Comercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing: