Security flap brews over SNMP

Lax security in a widely used Internet protocol raises questions about whether leading firewall software opens its users' networks to attacks from hackers.

5 min read
Lax security in a widely used Internet protocol has raised questions about whether leading security firewall software, including the top-selling FireWall-1 software from Check Point (CHKPF), opens the networks of its users to attacks from hackers.

Check Point, which has been the No. 1 firewall vendor since 1995, says the flaw lies in SNMP (Simple Network Management Protocol), not its firewalls, and that network administrators can rebuff attacks by configuring the firewall software correctly.

But Secure Networks Incorporated (SNI), the Canadian security software that issued an alert Wednesday about Check Point's flagship FireWall-1, said that Check Point users are more vulnerable to the problem than customers of other firewall vendors.

"Check Point allows a great deal more [SNMP] access to FireWall-1 than other firewall vendors do. They don't have this problem," said Alfred Huger, an SNI project director.

Other firewall vendors that also support SNMP said their software is set up differently than Check Point's and doesn't have the same weakness. Firewall vendors that support SNMP include Secure Computing's Sidewinder firewall, Trusted Information Systems' Gauntlet 2.0 for Windows NT, Raptor, Elron Software, and Cisco's PIX firewall.

Raptor, Secure Computing, Elron, and TIS said their firewalls are configured by default to avoid Check Point's problem.

Other vendors avoid the problem by letting only internal users, or sometimes specific individuals, make SNMP requests for their firewalls' status, Huger said. That keeps potentially sensitive information about a firewall and the network it protects away from outsiders. Check Point will now recommend that users authorize specific persons to have access, the company said.

In addition, Huger noted, Check Point's default setting for FireWall-1 lets outsiders make SNMP requests for information that could help hackers. Check Point acknowledged that problem with its defaults and said it will change them as well as warn customers to change the settings on firewalls already in use.

However, some security experts say SNMP is so inherently insecure that firewalls shouldn't support the protocol.

"SNMP and firewalls don't mix very well," said David Bonn, chief technical officer of WatchGuard Technologies, which makes hardware devices that monitor network intrusions. "Customers want this feature [for easier management], but it doesn't make a lot of sense."

"This type of vulnerability is not really new," said Michele Norwood, a spokeswoman for Internet Security Systems (ISS), a WatchGuard rival that also markets intrusion devices.

Many firewalls, routers, printers, print servers, and other networked devices use SNMP to talk to each other and for remote management. But misconfigurations by users installing the software, a major problem with firewalls, can create security holes.

"We have seen an increase in hacker attacks that focus on exploiting this weakness," Norwood said. Traffic on one firewall Internet mailing list shows notable concern about SNMP. One September posting read: "Can anyone break into a network by using any SNMP-based tool?"

But Check Point has no plans to drop its firewall's support of SNMP.

"It's important because many kinds of systems management software--Hewlett Packard's OpenView, Tivoli's TME 10 Enterprise Console, Computer Associates' Unicenter, and Sun Microsystems' Solstice--rely on SMNP for [network] management," Check Point executive Robert Ma said.

"These unified consoles use SNMP to poll devices to see if they're running--that's why it is so pervasive," Ma added, noting that other mechanisms are also available. "SNMP is still important. By configuring the firewall in [the correct] manner, you will have a safer SNMP communications. We're seeing that a configuration adjustment will satisfy almost every situation."

Check Point has posted a description of how to plug the security hole, though it is posted in a password-restricted area of its Web site for resellers. Check Point said it will post the fix Monday on its public site.

SNI outlined the problem in a posting on an Internet security mailing list.

"To an intruder, the information obtained can in many cases point them directly to a way in which they can gain remote access to the protected network," according to SNI's security posting.

To close the security hole, SNI suggests that FireWall-1 users disable the "Enable Remote Connections" option and block all SNMP traffic at the border router (udp port 161), but urges that action only after consulting their own security administrator.

The problem stems from how hackers could use information from a routine SNMP request to break through firewalls that are incorrectly configured.

Check Point argues that the problem is generic to SNMP but can be solved by proper configuration of its firewall software.

"Our firewall can respond to queries, but [an outsider] cannot control a device in SNMP," Check Point's Ma said, agreeing with critics that SNMP is inherently insecure.

"If you misconfigure, you could allow anybody to come in and get [firewall] status information. What should really happen is that you provide an extra level of security [through configuration] so only designated people can get status information."

The vulnerability only exists if the firewall is managed remotely, Check Point said, adding that it knows of no reported security breaches to date.

SNMP is designed to help manage devices ranging from printers to routers on a network without physically going to the device. That remote management feature is popular with network managers with scores of devices scattered around their networks.

According to the SNI advisory, unauthorized users can make an SNMP request to a Check Point firewall for information that would make it easier for them to break into the network behind the firewall without being traced.

Check Point acknowledges that intruders could use that information to circumvent a firewall that is improperly configured, but the company says proper configuration closes the security hole. However, SNI's security advisory hints that the standard configuration for FireWall-1 leaves it vulnerable to hackers and so-called "denial of service" attacks.

In addition, SNI says, data obtained from an SNMP request can be used to monitor the volume of traffic through a firewall, potentially critical information for a competitor.

Future versions of the SNMP protocol may solve the problem, said Tom Haigh, Secure Computing's chief scientist. "We have been working with the Internet Engineering Task Force (IETF) working group for SNMP version 3. That's where these problems will be fixed."

NEWS.COM Reporter Ben Heskett contributed to this report.