Menu
I have written a custom SNMPV2C agent (agentx protocol) extending netsnmp, As of now I am allowing view access to all in snmpd.conf as follows
view all included .1
it exposes mgmt (RFC1213 ) which looks fine, it also exposes snmpV2 mib's ( snmpMIB, snmpFrameworkMIB, VacmMIB etc).
I couldn't find any best practices document to detail that apart from opening our enterprise oid tree what all should be exposed, what are the security risks etc.
334
what are the security risks
With SNMP v2c, you have no encryption, nor signature. This means that Man-in-the-Middle attacks can both:
Moreover, queries can be done over UDP, so the IP source address need not being correctly routed back to the source. Therefore, IP spoofing can be used to bypass IP ACLs and send SNMP Set requests to a target, from a fake IP source.
Note that with SNMP v3, all of these risks can be avoided.
So, either increase your security adding another network layer (IPsec for instance), or only do expose READ-ONLY OIDs with public content.
For instance, performance counters or basic configuration parameters like an IP address, a hostname, a counter, may be exposed. Maybe you should do a risk analysis to find which information can really be exposed.
At first, SNMP v1 was not secured at all. So, SNMP v2 has been proposed to add security, among other new features. But it was so much complicated, that the new security features have been removed, and the other features have been kept, and the protocol has finally been published with the name SNMP v2c. Finally, SNMP v3 has been created mainly to offer security features, but in a more easy way to implement than with SNMP v2.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
