[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Writable SNMP
>
>
> > In lieu of a software upgrade, a workaround can be applied to certain IOS
> > releases by disabling the ILMI community or "*ilmi" view and applying an
> > access list to prevent unauthorized access to SNMP. Any affected system,
> > regardless of software release, may be protected by filtering SNMP
> traffic
> > at a network perimeter or on individual devices.
>
> right, but as I said above, the community-string restrictions don't
> help you in cases where you haven't filtered source-addresses in
> loopback/copp :( people still get to grind on your router's snmp
> process, maybe there's another way in, maybe there's a bug in the
> snmpd :(
>
> even if you filtered you could still get spoofed traffic. What if some
employee wrote code to trace route across your network and send spoofed
packets with or without a good string. Provided you aren't filtering snmp
at your edge, which many don't they could pretty easily melt your network
with a few boxes. This is true of the ever present snmp poll as well.
(conspiracy theory over)
- References:
- Writable SNMP
- From: keegan.holley at sungard.com (Keegan Holley)
- Writable SNMP
- From: jared at puck.nether.net (Jared Mauch)
- Writable SNMP
- From: morrowc.lists at gmail.com (Christopher Morrow)
- Writable SNMP
- From: keegan.holley at sungard.com (Keegan Holley)
- Writable SNMP
- From: morrowc.lists at gmail.com (Christopher Morrow)
- Writable SNMP
- From: keegan.holley at sungard.com (Keegan Holley)
- Writable SNMP
- From: morrowc.lists at gmail.com (Christopher Morrow)