Our Unix team has decided us using SNMP to pol Unix servers is a security risk. Any thought?
We have asked them to consider v3.
Top Secret Plan:
1: Get SNMP access
2: Determine CPU usage
3: .....
4: Win!
Any protocol open on a server comes with some level of risk. There are steps you can (and should) take to mitigate that risk however. Limiting SNMP to being queried from specific hosts or subnets or as you stated using SNMP v3 which allows for some confidentiality by encrypting packets and also authentication by using a username/password.
Turning this completely off is a little bit much when there established practices to mitigate the risks involved.
Ok I'm down from my soap box now....Good luck
I agree with Mike! There are way too many benefits of SNMP to do away with it. Especially for Linux/Unix environments which are already challenging enough to monitor. Properly configured it's just as safe as any method of monitoring imo.
Kris Maxwell
www.loop1systems.com
Another thing to do, to keep risks down, is only use read-only strings. Doing this ensures the requestor can only get information from the device, whereas read-write could allow changes. Limiting the level of access can also help keep the risks to a minimum and still allow for better monitoring than just ICMP.
Regards,
Matthew Harvey
Loop1 Systems
Mike pretty much hit it, you definitely get security by chopping functionality. Did you UNIX guys give you more than "its a security risk"? I've known a lot of engineers that throw that around and never offer up much more. And to add to mharvery's you could limit your snmp view(cisco term) to non sensitive information(if there is such a thing).
Not trying to be to funny, but what security risk is there for someone being able to pull your CPU/Memory/Volume usage when you only are using a read-only string.
Even more so on the Unix side when Net-SNMP doesn't report proc info correctly anyway.
I don't ever care to see the averaged value of my Idle, Wait, User, System time rolled up into what Net-SNMP thinks is my actual usage. I would rather run a Perl script through SSH and see each of those values independently to begin with.
When doing that I can understand the security risk, but then there is the ability to make your user a part of a SUDO group and limit the commands it needs root to run and everything else is only needing user level access.
Having been a part of a Enterprise security team for Aviall (Boeing) I understand where SNMP and it's functionality get over thought.
Now if we were talking about WMI then I could understand the concern, but this is only about SNMP. If they have an issue with Version 2c then you really should look at Version 3 which offers encryption.
All the scariest hax0rzz use SNMP. Read-only. V3. From a fixed IP.
No...thats all they gave. I think they just don't understand SNMP on Unix, cause our Windows team gives us no issues.
It's very common with sysadmins. I have met plenty that have no clue what SNMP even is, or how to configure it properly. Just tell them if I can't use SNMP then I need SSH access to run Perl scripts and some of them need root access. See how wide their eyes get then lol
I think it's because they either don't want to take the time to set it up properly or they don't know how and don't want others to know of their "problem" :-)
LOL, GIVE ME TEH ROOTZ!
Our Unix admins shut down SNMP years ago.
However that should not stop you from polling the stats you want.
Just request an admin account to be created on all the servers and use that to poll the server using Orion Server and Application Monitor (formerly APM) scripts.
You are correct as I mentioned this above, but there is no way a true Unix admin is going to say Ohhhh sure here is a root account for you to use and SSH into my box and run scripts..
You would want to have them create a SUDO file/table for your user name and then provide a listing of the command some of the templates need root level access to run, so that they can add that command to a SUDO wrapper for your specific user.
Remember root is bad. It's not logged for anything in the system and you won't have the ability to audit track who is doing what when using root.
