Management Software

Reply
Occasional Contributor
Posts: 5
Registered: ‎03-18-2011

SNMP Security issue flagged up by "Qualys" security check.


Hi,

Our site has just had a Qualys security audit and some snmp issues have been show up. We are running F.O.S 6.4.2A on 48k's.

Snmp is a new world to me, so could do with some input if people have encountered this before, or just in general setup. 

To quote from the Qualys report.

First issue

 

THREAT:

Unauthorized users can modify all SNMP information because the access password is not secure.

IMPACT:

The system can be attacked in a number of ways--by route redirection, denial of service, complete loss of network service, reboots or crashes, and

traffic monitoring.

SOLUTION:

If SNMP access is not required on this system, then disallow it. Otherwise, use a secure un-guessable "community name", and restrict the hosts

that talk SNMP with your system to a defined list of IP addresses.

2nd issue

THREAT:

Unauthorized users can read all SNMP information because the access password is not secure.

IMPACT:

Read-access to all SNMP information can give unauthorized users an incredible amount of valuable information about your network. See the

"Information Gathered" section of the report for a demonstration.

Scan Results page 4

Note: The SNMP information shown in the "Information Gathered" section is only a portion of what a remote user may actually be able to extract.

SOLUTION:

There are different types of attacks an unauthorized user can implement to retrieve sensitive information contained in the MIB. You can protect

yourself against any of these attacks. The following is a list of possible attacks and how you can protect yourself (from highest to lowest risk):

Brute force of community names: Replace the default password (often "public" or "private") with a secure one. The password should be hard to

guess, and should not be derived from the hostname of the machine or from its model name (e.g., "sun" or "ibm").

Eavesdropping of community names: SNMP Version 3 agents, as well as some of the SNMP Version 2 agents (not those named SNMPv2c for

"community based SNMP version 2") include authentication using hashing functions, such as MD5.

Eavesdropping of information retrieved by authorized users: Use the privacy function, such as DES-encryption, of the protocols described above.

Replay of legitimate SNMP message by unauthorized users: The protocols described above provide a simple replay protection using a timestamp

and a message sequence number.

A sample config shows

snmpconfig seclevel shows :-

admin> snmpconfig --show seclevel

GET security level = 0, SET level = 0

SNMP GET Security Level: No security

SNMP SET Security Level: No security

Ipfilter

admin>

Name: default_ipv4, Type: ipv4, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

SNMPv1 community and trap recipient configuration:
  Community 1: Secret C0de (rw)
    Trap recipient: 10.4.225.62
    Trap port: 162
    Trap recipient Severity level: 4
  Community 2: OrigEquipMfr (rw)
    No trap recipient configured yet
  Community 3: private (rw)
    No trap recipient configured yet
  Community 4: public (ro)
    No trap recipient configured yet
  Community 5: common (ro)
    No trap recipient configured yet
  Community 6: FibreChannel (ro)
    No trap recipient configured yet

admin> snmpconfig --show snmpv3

SNMP Informs = 0 (OFF)

SNMPv3 USM configuration:
User 1 (rw): snmpadmin1
        Auth Protocol: noAuth
        Priv Protocol: noPriv
User 2 (rw): snmpadmin2
        Auth Protocol: noAuth
        Priv Protocol: noPriv
User 3 (rw): snmpadmin3
        Auth Protocol: noAuth
        Priv Protocol: noPriv
User 4 (ro): snmpuser1
        Auth Protocol: noAuth
        Priv Protocol: noPriv
User 5 (ro): snmpuser2
        Auth Protocol: noAuth
        Priv Protocol: noPriv
User 6 (ro): snmpuser3
        Auth Protocol: noAuth
        Priv Protocol: noPriv

SNMPv3 Trap configuration:
Trap Entry 1:     No trap recipient configured yet
Trap Entry 2:     No trap recipient configured yet
Trap Entry 3:     No trap recipient configured yet
Trap Entry 4:     No trap recipient configured yet
Trap Entry 5:     No trap recipient configured yet
Trap Entry 6:     No trap recipient configured yet

I am wondering which is the best way to go but would like to do it properly rather than just change the admin password to something stronger.

(a) Set seclevel to 2 (would it really be that simple?)

(b) set seclevel to 3 (no snmp access)

(c) stop snmp access via ipfilter 

A combination of the above or something else.

Thanks

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.