Well by now you've all seen it, big problems with simple network management protocol. What you might not have seen is how I saw it, so I'll share because I think it is interesting and should be for others. Way back in 99 SANS issued a top 10 problems document that said to turn of snmp unless absolutely necessary, this is for a wide variety of reasons, but overall it is not very well secured protocol or management system, though it is quite effective. So earlier today, I get an e-mail from SANS saying: 1:30 PM EST 12 February, 2002 In a few minutes wire services and other news sources will begin breaking a story about widespread vulnerabilities in SNMP (Simple Network Management Protocol). Exploits of the vulnerability cause systems to fail or to be taken over. The vulnerability can be found in more than a hundred manufacturers' systems and is very widespread - millions of routers and other systems are involved. As one of the SANS alumni, your leadership is needed in making sure that all systems for which you have any responsibility are protected. To do that, first ensure that SNMP is turned off. If you absolutely must run SNMP, get the patch from your hardware or software vendor. They are all working on patches right now. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched). To block SNMP access, block traffic to ports 161 and 162 for tcp and udp. In addition, if you are using Cisco, block udp for port 1993. The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered. CERT/CC is taking the lead on the process of getting the vendors to get their patches out. Additional information is posted at http://www.cert.org/advisories/CA-2002-03.html ____ Low and behold, I check yahoo at 3:30pm and there it is, posted at 2:53, an hour and 23 minutes reponse between effective announcement ot security professionals and public. Now granted that is not alot of time, but for highly efficient organizations, it probably was sufficient. After the sans announcement came out, i checked our(cddc/aoir) systems just to be sure. at 2:40 i received the cert announcement, which is a broad announcement which generated the media most likely. what amazes me is the increasing systematization of information security and the professionalization that goes along with it, how does having an 1 hour period before announcement help sustain the appearance of professionalism, or the top 10 list, I haven't made that argument yet, but I'd be interested in opinions. -- jeremy hunsinger http://www.cddc.vt.edu/jeremy cddc/political science http://www.cddc.vt.edu 526 major williams hall 0130 http://www.dromocracy.com virginia tech -under construction blacksburg, va 24061 540-231-7614
participants (1)
-
jeremy hunsinger