[Ach] Securing SNMP
Joe St Sauver
joe at oregon.uoregon.edu
Thu May 22 01:24:39 CEST 2014
Hi,
Aaron responded to my question about hardening SNMP, noting:
#> include a section on hardening SNMPv3 appropriately (I don't think
#> there's any discussion of SNMP current in the draft).
#
#We've discussed this issue repeatedly: Like LOM/Remote Management SNMP
#should not be available from a routed network (i.e. use a private VLAN).
#
#There are tons of problems with that, popular vendors (dell, hp)
#regularly have exploits or DDoS problems with their embedded remote
#management and SNMP stacks.
Sorry to have overlooked the previous discussions.
FWIW, I agree that SNMP network management *should* be done out of band, but
the reality is that it often *isn't*. For a measure of magnitude, note that
Shodan reports 20,242,084 hits for port:161
Given that reality, at least from my POV, it would be terrific if SNMP
could be configured as securely as possible, including using SSL/TLS
where the equipment/code train support it.
Regards,
Joe
More information about the Ach
mailing list