SNMP is not only read but write typically.
In it's default configuration, really?
I'd suppose so as well. It depends on the configuration of the SNMP server.
easier to sniff (cleartext).
I thought it's possible to set up SNMP using some encryption by itself, but a quick search didn't found a useful HOWTO neither about SNMP nor encryption nor security... Except "disable if not needed"...
AFAIK, SNMPv3 will support encryption and a decent authentication scheme, but most SNMP implementations out there are still v1 or v2. Actually, I think that the SNMPv3 standard hasn't even been passed yet.
Yep, of course the firewalls restrict it to just one machine, but I would like to make sure that the snmpd will not allow bad things under any cirumstances. Firewalling is quite clear, like always :)
Well, you can never be 100% sure.. (responding to your phrase. "..under *any* circumstances...". And whether things are good or bad depends a lot on the context they happen in.
and maybe using ssh port forwarding or ipsec to encrypt it.
IPSec with each machine is to expensive and won't help, since it the monitor gets compromised IPSec can be used by unauthorized software - same for SSH, so I don't see a big improvement.
Why do you consider IPSec too expensive? As it is, you don't need to do IPSec with all hosts, you can configure it on a host by host basis. In fact, you need to, unless you've got DNSSEC set up, as you need a host-specific authentication entity for each host. Still, it's not much more work than SSH, IMHO. As far as the security offered by IPSec is concerned, IPSec gives you real authentication of the source of IP packets. SNMP uses UDP, which makes the combination of easy source address spoofing and access to configuration commands (SNMP RW) a very risky thing. IPSec can prevent spoofing and keep sniffers from reading your SNMP data as well. Tobias
* Reckhard, Tobias wrote on Mon, Sep 03, 2001 at 10:07 +0200:
SNMP is not only read but write typically.
In it's default configuration, really?
I'd suppose so as well. It depends on the configuration of the SNMP server.
Well, I had guessed the same :) I'm interested in infos about the default config. As I told, it's "not" configured :)
I thought it's possible to set up SNMP using some encryption by itself, but a quick search didn't found a useful HOWTO neither about SNMP nor encryption nor security... Except "disable if not needed"...
AFAIK, SNMPv3 will support encryption and a decent authentication scheme, but most SNMP implementations out there are still v1 or v2. Actually, I think that the SNMPv3 standard hasn't even been passed yet.
Ohh, it's amazing... I cannot understand why it's so problematic to add some secure hash to a packet for message authentication. Would be better than nothing. Hum.
Yep, of course the firewalls restrict it to just one machine, but I would like to make sure that the snmpd will not allow bad things under any cirumstances. Firewalling is quite clear, like always :)
Well, you can never be 100% sure.. (responding to your phrase. "..under *any* circumstances...". And whether things are good or bad depends a lot on the context they happen in.
Yep, of course, I meant, even for clients with the right anything it should reject any write access.
IPSec with each machine is to expensive and won't help, since it the monitor gets compromised IPSec can be used by unauthorized software - same for SSH, so I don't see a big improvement.
Why do you consider IPSec too expensive? As it is, you don't need to do IPSec with all hosts, you can configure it on a host by host basis. In fact, you need to, unless you've got DNSSEC set up, as you need a host-specific authentication entity for each host.
:) Well, I want to set up SNMP for minimal statistic collections (in this first step). I though this is easy, but I think I need some hours to create a config file. Maybe somebody of this list could post some excerpts with hints. But thanks for the tip.
IPSec can prevent spoofing and keep sniffers from reading your SNMP data as well.
Yep, I run IPSec on serveral machines and I like it, really. But now I have some machines with SNMP. I don't want to hack them all in a IPSec config. Some of them run old distros but are not scheduled for updates. All-in-all it would take hours to set it up and test it. Adressspoofing is a topic and the reason for my wish to disable "write" operations. Does somebody on the list has a "more-secure-than-default" config for snmpd for r/o access only? I would like to get a copy since I think its easier and more secure to adapt such a file. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* Steffen Dettmer wrote on Mon, Sep 03, 2001 at 11:54 +0200:
Does somebody on the list has a "more-secure-than-default" config for snmpd for r/o access only? I would like to get a copy since I think its easier and more secure to adapt such a file.
On SuSE 7.1 Systems, there is a /etc/ucdsnmp.conf file. There was an nice example file called: /usr/share/doc/packages/ucdsnmp/EXAMPLE.conf.def. To configure the monitor, beside some other defaults, I used: #Security Name (by address) # sec.name source community com2sec monitorip 192.168.1.1 public #Security Name --> Group Names # groupname sec.model sec.name group all_ro_group v1 monitorip group all_ro_group v2c monitorip group all_ro_group usm monitorip #Views # name incl/excl subtree mask view all included .1 80 #Grant access for the group to the view # groupname context sec.model sec.level match read write notif access all_ro_group "" any noauth exact all none none I put it as /usr/etc/snmp/snmpd.conf (According to strace, snmpd on 7.0 does not load /etc/*snmp* things). On SuSE 7.1, this file should be /etc/ucdsnmpd.conf. For debugging, it may be useful to give a: snmpd -f -V -l /tmp/log On problems, "-D" produces a lot of debugging output. I commented out things like exec in the config file. Well, in this stage it's possible to comment out and restart line by line, and if it's stops working it was an nessecary priviledge :) For MRTG it should be enough to grant access to the interfaces, but I haven't tested it so far (only with snmpwalk). As view I tried: # name incl/excl subtree mask view iface included interfaces # groupname context sec.model sec.level match read write notif access all_ro_group "" any noauth exact iface none none Well, finally it was easy - I wonder if nobody on this list uses SNMP?! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* Steffen Dettmer wrote on Tue, Sep 04, 2001 at 11:08 +0200:
For MRTG it should be enough to grant access to the interfaces, but I haven't tested it so far (only with snmpwalk). As view I tried:
# name incl/excl subtree mask view iface included interfaces
Well, now I use for MRTG: view iface included system view iface included interfaces.ifTable view iface included ip.ipAddrTable.ipAddrEntry this seems to work well. Just for your reference. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Reckhard, Tobias -
Steffen Dettmer