The SNMP Problem – 2-02 What is the Simple Network Management protocol (SNMP)? Some history – In the beginning, networks

1. The SNMP Problem – 2-02 What is the Simple Network Management protocol (SNMP)? Some history – In the beginning, networks were small – to determine their health “Ping” was used. Ping is a protocol that sends a time-stamped message to a destination and awaits a response. By walking (pinging) the routers between the source and the destination, the problem areas could be isolated. Clearly, this does not scale in a large, distributed network with multiple backbones and various operators. So…. In 1990, SNMP was born to be the network monitoring and management protocol. SNMP Vulnerability

2. The SNMP Model Managed Nodes Network Printer or Appliance Host Computer (Server) Routers Management Station Model includes: Management station, managed nodes, management information, and a management protocol. Managed nodes can be bridges, routers, hosts, printers, or appliances. SNMP Vulnerability

3. SNMP – Agents & Managers All nodes must be capable of running an SNMP agent. Each agents maintains a local database that of objects (variables) that describe the state of the device, state history, and that can affect the operation of the device (i.e., perform configuration control). Managers run on management stations and communicate with agents over the network, issuing commands and getting responses. Agents are designed to be simple with the main intelligence in the management station. SNMP Vulnerability

4. SNMP – Messages Managers and agents exchange messages that: Request information or configuration changes. Respond to requests. Enumerate SNMP objects (variables that describe device state). Send unsolicited alerts. The collection of all objects for all devices into a management station database is called a Management Information Base (MIB). Agents report event (e.g., alert) information to managers – these are called SNMP trap messages or traps. Managers make requests of agents to report or set configuration values. SNMP Vulnerability

5. SNMP – Threats Reported Three threats have been identified: Unauthorized privileged access Denial of Service Unstable behavior Two main vulnerabilities give rise to these threats: 1. Multiple trap handling vulnerabilities – management station problem. 2. Multiple request handling vulnerabilities – agent problem. SNMP Vulnerability

6. SNMP – Trap Handling Trap messages are sent from agents to management stations. Traps typically indicate a warning or error or notify the manager about the state of the agent device. Management stations must parse (decode) and then process the trap correctly – Multiple vulnerabilities have been found in the way managers parse and process traps. Malformed trap messages can be sent to managers that can result in denial of service, format string vulnerabilities, and/or buffer overflows. SNMP Vulnerability

7. SNMP – Request Handling Request messages are sent from management stations to agents. Requests are used to solicit information from an agent or to instruct the agent to configure the agent device (e.g., turn on source routing). Agents must parse (decode) and then process the request correctly. Multiple vulnerabilities have been found in the way agents parse and process requests. Malformed request messages can be sent to agents that can result in denial of service, format string vulnerabilities, and/or buffer overflows. SNMP Vulnerability

8. SNMP – Remediation Good business practices, work-arounds, and patches. Disable SNMP on all systems where it is not needed. Block all SNMP traffic at the site perimeter – leaves external systems like external routers the only externally vulnerable devices. Manage external systems from the console or use secure shell for access. Work arounds are vendor specific – most simply say turn it off. Patches – patch ASAP – not widely available yet – 7 days after the public announcement. SNMP Vulnerability