SNMP bug threatens networks

CERT points out one of the biggest security risks your enteprise can face. Here's how to protect your network.

This week's alert by CERT that network infrastructure may be at risk from attacks using Simple Network Management Protocol (SNMP) highlights what may be the greatest risk your enterprise can face. Without prompt action, intruders can take over your network at its most basic level, and in the process siphon off your network traffic or disrupt your business. Fortunately, the solution to this problem is known, and fixing it can be accomplished fairly easily, although it will be tedious.

SNMP is the standard management protocol used on TCP/IP networks. It allows virtually anything on the network, including switches, routers, firewalls, hubs, and even operating systems and server products and utilities, to communicate with management software about its current operations and state of health. However, SNMP can also be used to control these devices and products, telling them to redirect traffic, change traffic priorities or even to shut down. In short, intruders can take over your network if they know what they're doing.

To protect yourself, you need to do a few simple things. First, if you really want to be safe, turn off SNMP throughout your network until you've been able to install patches provided by the manufacturer of your infrastructure equipment or software. You may need to check every router, switch, hub and server on your network, as well as the software that runs on them.

Second, download and install the patches for each piece of equipment and each piece of software before you turn SNMP back on. Cisco, which makes about 85 percent of all infrastructure hardware, has promised a fix today. Some manufacturers already have patches available.

Third, make sure your firewall is set to block SNMP traffic from outside your network. Remember, your firewall may have SNMP enabled, so make sure it's patched, too. To keep SNMP traffic out of your network, the SANS Institute recommends turning off outside access to TCP and UDP traffic (Ports 161 and 162). Cisco products should also have UDP traffic on Port 1993 blocked. If you have enterprise assets outside the firewall that must use SNMP (if you have Internet routers, for example) make sure those get patched first.

Remember, it doesn't have to be hardware for the SNMP vulnerability to be a problem. Windows (not XP), Linux, some versions of Unix, some mail and commerce servers, and management frameworks including HP OpenView and CA Unicenter are reported to be vulnerable. This means that if you use a network management application to monitor and control your network, you may have to learn to do without it until you can get a patch installed to eliminate the vulnerability.

On the other hand, if you can be certain your firewall is set up properly, and isn't itself vulnerable, you can probably take a little more time. But you should monitor everything behind the firewall, and the firewall itself, to make sure you're not being targeted by an intruder. And you have to make sure that every possible point of access to the Internet has a firewall installed.

Whew. Now you can breathe easy. Right?

Not on your life. Now you just have a better idea where to look for the next intrusion.

How do you plan to protect your network from SNMP vulnerabilities? E-mail us or post your thoughts in our Talkback forum below.

Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.