Home page logo

nanog logo nanog mailing list archives

Re: Writable SNMP
From: Keegan Holley <keegan.holley () sungard com>
Date: Fri, 9 Dec 2011 21:30:47 -0500

In lieu of a software upgrade, a workaround can be applied to certain IOS
releases by disabling the ILMI community or "*ilmi" view and applying an
access list to prevent unauthorized access to SNMP. Any affected system,
regardless of software release, may be protected by filtering SNMP
at a network perimeter or on individual devices.

right, but as I said above, the community-string restrictions don't
help you in cases where you haven't filtered source-addresses in
loopback/copp :( people still get to grind on your router's snmp
process, maybe there's another way in, maybe there's a bug in the
snmpd :(

even if you filtered you could still get spoofed traffic.  What if some
employee wrote code to trace route across your network and send spoofed
packets with or without a good string.  Provided you aren't filtering snmp
at your edge, which many don't they could pretty easily melt your network
with a few boxes.  This is true of the ever present snmp poll as well.
(conspiracy theory over)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]