[Ach] Securing SNMP

Joe St Sauver joe at oregon.uoregon.edu
Thu May 22 01:24:39 CEST 2014


Aaron responded to my question about hardening SNMP, noting:

#> include a section on hardening SNMPv3 appropriately (I don't think
#> there's any discussion of SNMP current in the draft).
#We've discussed this issue repeatedly: Like LOM/Remote Management SNMP
#should not be available from a routed network (i.e. use a private VLAN).
#There are tons of problems with that, popular vendors (dell, hp)
#regularly have exploits or DDoS problems with their embedded remote
#management and SNMP stacks.

Sorry to have overlooked the previous discussions.

FWIW, I agree that SNMP network management *should* be done out of band, but 
the reality is that it often *isn't*. For a measure of magnitude, note that
Shodan reports 20,242,084 hits for port:161

Given that reality, at least from my POV, it would be terrific if SNMP 
could be configured as securely as possible, including using SSL/TLS 
where the equipment/code train support it.



More information about the Ach mailing list