This week Cisco announced an entirely new approach to delivering rich services to the Enterprise branch office with the introduction of the ISR 4000 Series. For those folks paying attention over the last year this really was no shock. In fact the ISR 4451 announced at Cisco Live 2013 is the first member of this new series teasing the concepts and technologies represented today in an entire portfolio of platforms.
The ISR 4000 Series consists of 5 platforms that spread the architecture and technology introduced with the 4451 across a portfolio designed to meet the needs of most branch offices. With performance-on-demand, these 5 platforms hit 10 different performance levels, from 50Mbps to 2Gbps with services, giving IT departments the capability to pay for only the capacity they need with the option to increase performance with a simple license. The multi-core control/data/services plane CPUs with included virtualization through Service Containers, server replacement capabilities with the UCS E-Series and flat performance-curve with services are truly revolutionary in the industry, so how did we get here? Read More »
Tags: 2500 Series, 2600 Series, Cisco ISR 4451-x, CLI, Gas, interop, IOS, ISR, ISR G2, ISR4k, onePK, router, Service Coontainers, services, snmp
Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.
Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.
While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.
Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:
Tags: ACL, best practices, brute force, security, snmp, TAC
Simple Network Management Protocol (SNMP) is part of IETF’s Internet Protocol Suite that consists of four abstraction layers and defines a set of protocols used on the Internet. SNMP is mainly used for management and monitoring of networked devices. It can inform about the health of a network device or other reflections of its state (interfaces, IP addresses, traffic and more). SNMP is defined as part of IETF RFC 1157. For its function, it leverages Management Information Bases (MIBs), which define the structure of device information maintained. They represent a hierarchical namespace containing object identifiers (OIDs). Each OID identifies an object that holds the information of interest and can be polled or set via SNMP.
Read More »
Tags: IPv6, IPv6-security, security, snmp