From: Jay Hennigan (jay@xxxxxxxx)
Date: Thu Feb 14 2002 - 03:37:08 GMT-3
On Wed, 13 Feb 2002, Matt Wagner wrote:
> right. Sorry, I forgot to state that the initial warning recommended
> turning off SNMP entirely. Subsequent warnings took into account that we
> can't just do that, but warned of a failure of a configured ACL to actually
> filter the SNMP traffic (with no explicit reason why).
SNMP uses UDP. Because there is no three-way handshake with random
sequence numbers as with TCP, it is trivial to spoof the source of a
UDP packet.
So, in addition to configured ACLs limiting SNMP to defined machines
that really need it, ACLs at your borders filtering traffic that claims
to originate within your network are a good thing. Likewise as a good
neighbor (unless you're providing transit) you should filter traffic
leaving your network that claims to originate elsewhere.
The advisory also suggested disabling UDP port 7 (echo) to prevent bouncing
an SNMP packet off of a host allowed by any ACL in place.
And, for heaven's sake, don't use "public" for RO and "private" for RW !
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:22 GMT-3