Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
SNMP Protocol Security Issues and Methods
(Page 2 of 3)
Unfortunately, the security incorporated
into SNMPv1 was extremely limited; it really took the form of only one
policy and one simple technology:
- Weak Objects: SNMP was created
with the mindset that the MIB objects used in the protocol would be
relatively weak. This means that the objects are designed so
that any problems in working with them result in minimal damage. The
policy of the designers of SNMP was that MIB objects that are normally
read should not contain critical information, and objects that are written
should not control critical functions.
So, a read-only MIB object containing a description of a machine is
fine, but one containing the administrative password is not.
Similarly, a read-write MIB object that controls when the computer next
reboots is acceptable, but one that tells the object to reformat its
hard disk is (definitely) not!
- Community Strings: All the devices in
an SNMP network managed by a particular set of network management stations
are considered to be in a community. Each SNMPv1 message
sent between members of the community is identified by a community
string that appears in a field in the message header. This string
is like a simple password; any messages received with the wrong string
will be rejected by the recipient.
These security features are better
than nothing, but not much. The use of weak objects is comparable to
a policy that says not to leave your car in front of the convenience
store with the doors unlocked and the key in the ignitionit is
basically saying don't ask for trouble. This is wise, but
its not a complete security solution. The community strings protect
against obvious tampering in the form of unauthorized messages. However,
the strings are sent in plain open text and can easily be discovered
and then used to compromise the community. So this is like
locking your doors when parking your carit protects against the
casual thief but not a pro.
Of course, for some people, not leaving
their car running and locking the doors when they park are enough security,
and SNMPv1's security was also sufficient for some users of SNMP. But
in newer, larger internetworks, especially ones spanning large distances
or using public carriers, SNMPv1 wasn't up to the task. This is why
all that fun stuff occurred with SNMP version 2.
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.