Enterprises must act quickly to head off the hacker attacks that will almost certainly result from the revelation that there are many more security holes in the Simple Network Management Protocol than previously realized.
See news story:
Flaws in common software threaten Net
What they found was alarming.
None of the 12 systems they evaluated survived the test. Testers were able to crash and hang various systems, and they were able to execute arbitrary code.
To make matters worse, the CERT Coordination Center at Carnegie Mellon University has also issued an advisory that lists statements from a significant number of companies that are disclosing SNMP vulnerabilities in their products. Many of those companies have issued patches or have said they will do so shortly.
SNMP version 1 is a venerable standard that is supported by virtually all network devices. It has always been considered insecure, but it has been tolerated because it usually just monitors statistics and configuration information from systems. In more than 10 years of use, only minor security alerts have occurred.
However, now that SNMP's vulnerabilities have been widely publicized, any hacker has access to the tools that discovered those vulnerabilities. Enterprises must prepare for the inevitable attacks by securing all network or system components against internal and external SNMP hacking exploits. Safeguards include filtering out SNMP traffic, applying the appropriate patches, or disabling the protocol within the system. Systems that cannot be protected should be scheduled for a relaunch and replaced by something more secure.
In the short term, some of the security measures may hurt the efficiency of network operation centers, particularly in communities where trust was implicit. In the long term, enterprises must evaluate whether SNMP is adequate for securely managing networks, systems and applications.
The bottom line, however, is that enterprises should not ignore this security problem. To do so would be nothing less than dereliction of duty.
(For a related commentary on security, see gartner.com.)
Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.