I am a consultant at a Cisco partner and I get to see a lot of different networks. Most of the networks are Cisco, but there are a few that are not. From time to time, I get network assessment projects. I love these types of projects as they are an exploration of uncharted networks to see what can be discovered. Personally I like to have my network consistent, orderly, and precise. The common components of the configurations on all device should be identical. These network assessments usually do not conform to these standards. Syslog configured on some devices pointing to a device that no longer Read More »
Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.
Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.
While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.
Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:
- Securing Simple Network Management Protocol
- IOS SNMP Configuration Best Practices Guide
- Cisco Guide to Securing Cisco NX-OS Software Devices White Paper
- Cisco Firewall Best Practice Guide
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco TelePresence Hardening Guide
- Additional Cisco Network Security Documents
Simple Network Management Protocol (SNMP) is part of IETF’s Internet Protocol Suite that consists of four abstraction layers and defines a set of protocols used on the Internet. SNMP is mainly used for management and monitoring of networked devices. It can inform about the health of a network device or other reflections of its state (interfaces, IP addresses, traffic and more). SNMP is defined as part of IETF RFC 1157. For its function, it leverages Management Information Bases (MIBs), which define the structure of device information maintained. They represent a hierarchical namespace containing object identifiers (OIDs). Each OID identifies an object that holds the information of interest and can be polled or set via SNMP.