MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2013

Re: EOL/Obsolete Software SNMP Version Detected



fixed

Not to sidetrack the conversation, but Qualys is not from IBM:
http://www.google.com/finance?q=NASDAQ:QLYS. They do partner with IBM so
it's possible IBM is using them to scan your environment as part of a
delivered vulnerability management service.

The local technical account manager (sort of a post-sales engineer) is a
friend and fellow officer of the Chicago ISSA chapter.

On Mon, Feb 4, 2013 at 9:35 AM, <rob@xxxxxxxxx> wrote:

We are using Qualys from IBM to do internal, and external, security
detection on our equipment. Apparently it has an issue with the level of
SNMP (or perhaps my implementation of it) utilized by our IBM i at 7.1:

THREAT:
Simple Network Management Protocol (SNMP) is an "Interrnet-standard
protocol for managing devices on IP networks."
The authentication of clients of earlier versions of SNMP is performed
only by a "community string", in effect a type of password, which is
transmitted in cleartext.
The Internet Engineering Task Force (IETF) has designated SNMPv3 a
full Internet standard, the highest maturity level for an RFC. It
considers earlier versions to be obsolete designating them ("Historic").
IMPACT:
The system is at high risk of being exposed to security
vulnerabilities. Since the vendor no longer provides updates, obsolete
software is more vulnerable to viruses and other attacks.
SOLUTION:
Disable or remove SNMPv1/2c authentication. Use SNMP version 3
authentication

SNMPv3 provides additional security features:
Confidentiality - Encryption of packets to prevent snooping by an
unauthorized source.
Integrity - Message integrity to ensure that a packet has not been
tampered with in transit including an optional packet replay protection
mechanism.
Authentication - to verify that the message is from a valid source.

Workaround:

As a temporary measure, block access to SNMP services at the network
perimeter.

In situations where blocking or disabling SNMP is not
possible,restrict all SNMP access to separate, isolated management
networks that are not publicly accessible.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact