Enterprises must act quickly to head off the hacker attacks thatwill almost certainly result from the revelation that there are many more securityholes in the Simple Network Management Protocol than previously realized.
 | |||
|
| | |
| |||
What they found was alarming.
None of the 12 systems they evaluatedsurvived the test. Testers were able to crash and hang various systems, and they were able to execute arbitrary code.
To make matters worse, the CERT Coordination Center at Carnegie MellonUniversity has also issued an advisory that lists statements from asignificant number of companies that are disclosing SNMP vulnerabilities in theirproducts. Many of those companies have issued patches or have said they willdo so shortly.
SNMP version 1 is a venerable standard that is supported by virtually allnetwork devices. It has always been considered insecure, but it has beentolerated because it usually just monitors statistics and configurationinformation from systems. In more than 10 years of use, only minor securityalerts have occurred.
However, now that SNMP's vulnerabilities have been widely publicized, anyhacker has access to the tools that discovered those vulnerabilities.Enterprises must prepare for the inevitable attacks by securing all networkor system components against internal and external SNMP hacking exploits.Safeguards include filtering out SNMP traffic, applying the appropriatepatches, or disabling the protocol within the system. Systems that cannot beprotected should be scheduled for a relaunch and replaced by somethingmore secure.
In the short term, some of the security measures may hurt the efficiency ofnetwork operation centers, particularly in communities where trust wasimplicit. In the long term, enterprises must evaluate whether SNMP isadequate for securely managing networks, systems and applications.
The bottom line, however, is that enterprises should not ignore thissecurity problem. To do so would be nothing less than dereliction of duty.
(For a related commentary on security, see gartner.com.)
Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.