nanog mailing list archives
Re: Writable SNMP
From: Keegan Holley <keegan.holley () sungard com>
Date: Fri, 9 Dec 2011 21:30:47 -0500
In lieu of a software upgrade, a workaround can be applied to certain IOS releases by disabling the ILMI community or "*ilmi" view and applying an access list to prevent unauthorized access to SNMP. Any affected system, regardless of software release, may be protected by filtering SNMPtrafficat a network perimeter or on individual devices.right, but as I said above, the community-string restrictions don't help you in cases where you haven't filtered source-addresses in loopback/copp :( people still get to grind on your router's snmp process, maybe there's another way in, maybe there's a bug in the snmpd :( even if you filtered you could still get spoofed traffic. What if some
employee wrote code to trace route across your network and send spoofed packets with or without a good string. Provided you aren't filtering snmp at your edge, which many don't they could pretty easily melt your network with a few boxes. This is true of the ever present snmp poll as well. (conspiracy theory over)
Current thread:
- Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)
- Re: Writable SNMP Christopher Morrow (Dec 07)
- Re: Writable SNMP Keegan Holley (Dec 09)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Jared Mauch (Dec 06)
- Re: Writable SNMP Dorian Kim (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Wes Hardaker (Dec 06)
- Re: Writable SNMP Christopher Morrow (Dec 06)
- Re: Writable SNMP Keegan Holley (Dec 07)
- Re: Writable SNMP Christopher Morrow (Dec 07)
- Re: Writable SNMP Keegan Holley (Dec 09)
- Re: Writable SNMP Joel jaeggli (Dec 09)
- Re: Writable SNMP Keegan Holley (Dec 09)