|
Jim, Good points, all. The DPI interface is what IBM exposes on the iSeries for SNMP functions (get, set, trap, etc.). The iSeries SNMP support is SNMPv2, but as I understand it the SNMPv1 functions are supported in SNMPv2. I'm glad IBM is taking a look at this. I'm not aware of that many IBM shops using the DPI interfaces for SNMP, but a fair number start SNMP to get the basic set of services. Patrick ----- Original Message ----- From: "Jim Franz" <franz400@triad.rr.com> To: <midrange-l@midrange.com> Sent: Friday, February 15, 2002 7:57 PM Subject: Re: SNMP concerns > It was interesting to see on the Cert site this morning that "IBM" is listed > as > "Not Vulnerable" on Jan 4-2002 (inside it says "AIX" only) > later in the list is "IBM z-Series" with status "unknown" on Jan 7-2002. > No iSeries listed. p-Series is vulnerable because of Microsoft. > > 2nd point - I would not be comfortable with only the firewall protecting > your > network. A decent trojan planted anywhere in your network (from all your > users that continue to open attachments!) could easily mount an attack > from inside. > > 3rd point - on the iSeries we lived with a very outdated (and with CERT > warning) DNS server while AIX enjoyed the latest (and more secure) > version. I feel NO COMFORT that AIX snmp is ok and the iSeries > is traditionally silent. > > <please correct me if wrong> > 1. SNMP is not started automatically unless STRTCPSVR *ALL is run, > or if the Change SNMP Attributes (CHGSNMPA) has autostart=*yes. > To not autostart - run CHGSNMPA AUTOSTART(*NO) > > 2. Just scanned the Simple Network Management Protocol (SNMP) Support > Version 4 book SC41-5412-00 (1997) on website. Not knowing much it seems > like > part of OS400 support SNMPv1 and part is SNMPv2. But this statement > bothers me, page 33 says"The DPI API for OS/400 is the 2.0 level of the > protocol. > This is designed to be highly compatible with SNMPv2 even if the SNMP Agent > is SNMPv1. (again, this is the only book I could find and is from 1997) > > 3. The Tips and Tools for Securing Your iSeries has specific snmp tips. (see > Info Center) > secure port 161 (well known for snmp) > set snmp server autostart to *no > <clip> > SNMP relies on a community name for access. Conceptually, the community name > is similar to a password. The community name is not encrypted. Therefore, it > is vulnerable to sniffing. Use the Add Community for SNMP (ADDCOMSNMP) > command to set the manager internet address (INTNETADR) parameter to one or > more specific IP addresses instead of *ANY. You can also set the OBJACC > parameter of the ADDCOMSNMP or CHGCOMSNMP commands to *NONE to prevent the > managers in a community from accessing any MIB objects. This is intended to > just be done temporarily to deny access to managers in a community without > removing the community. </clip> > > Does anyone know a source in IBM to clear this up? > jim franz > > > > ----- Original Message ----- > From: "Patrick Townsend" <patownsend@patownsend.com> > To: <midrange-l@midrange.com> > Sent: Friday, February 15, 2002 7:41 PM > Subject: Re: SNMP concerns > > > > Fritz, > > > > Interesting. The CERT notice calls out two primary areas of vulnerability. > > One in SNMP managers and one in SNMP agents. The AS/400 doesn't have a > > native manager, so that part doesn't apply to the AS/400. But it certainly > > has an SNMP agent and sub-agent support. > > > > The denial of service is a well known type of attack. Good firewall and > > router implementations will help prevent damage from outside sources. > Since > > SNMP is almost never run over the Internet, these ports shouldn't be open > > anyway. I suspect the risk from an internal SNMP denial of service attack > is > > pretty small. But, as the alert points out, there are steps you can take > to > > minimize this type of attack. > > > > The vulnerabilities in SNMPv1 are another matter. I couldn't find any > place > > where IBM addresses the AS/400 (ahem, I mean iSeries). IBM clearly states > > that AIX is not vulnerable. But no mention of iSeris. I hope they will > > comment on this for the iSeries platform. > > > > Patrick > > ----- Original Message ----- > > From: "Fritz Hayes" <fhayes@spiritone.com> > > To: <midrange-l@midrange.com> > > Sent: Friday, February 15, 2002 2:33 PM > > Subject: RE: SNMP concerns > > > > > > > The CERT Vulnerability Note VU#854306 indicated that the SNMP processing > > > of > > > GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap has > > > vulnerablities. > > > These weaknesses include "denial-of-service conditions, format string > > > vulnerabilities, and buffer overflows." In addition, "some > > > vulnerabilities do not require the request message to use the correct > > > SNMP community string". > > > > > > Which means, the SNMP service can be used to compromise OS/400. > > > > > > IBM responded with: "Based upon the results of running the test suites > > > we have determined that our version of SNMP shipped with AIX is NOT > > > vulnerable." > > > > > > If Dr. Frank's hypothesis is right, IBM SNMP implementation is probably > > > the same for AIX as it is for OS/400. Which makes my worries go away - > > > - Right?????? > > > > > > I know that SNMP is used regularly on internal networks. Some people > > > are even using it to drive their AS/400 printers. A couple of customers > > > want to remotely manage their equipment, using VPN connections on the > > > Internet. SNMP could be the right tool, but only if internal hackers > > > can be kept out! With the CERT notification, and in general, is a > > > properly configured AS/400 susceptible to SNMP attacks? > > > > > > Best Regards > > > > > > Fritz Hayes > > > Atwater Associates > > > <snip> > > > > > > | > > > |We run SNMP on the AS/400 and provide SNMP options in our > > > |products. What concerns do you have? > > > | > > > <snip> > > > |> > > > |> So, who out there is running and using SNMP on their AS/400, iSeries > > > |> box? > > > |> > > > |> A second question, who is using the SNMP protocol over the Internet? > > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.