× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Jim,

Good points, all. The DPI interface is what IBM exposes on the iSeries for
SNMP functions (get, set, trap, etc.). The iSeries SNMP support is SNMPv2,
but as I understand it the SNMPv1 functions are supported in SNMPv2. I'm
glad IBM is taking a look at this. I'm not aware of that many IBM shops
using the DPI interfaces for SNMP, but a fair number start SNMP to get the
basic set of services.

Patrick
----- Original Message -----
From: "Jim Franz" <franz400@triad.rr.com>
To: <midrange-l@midrange.com>
Sent: Friday, February 15, 2002 7:57 PM
Subject: Re: SNMP concerns


> It was interesting to see on the Cert site this morning that "IBM" is
listed
> as
> "Not Vulnerable" on Jan 4-2002 (inside it says "AIX" only)
> later in the list is "IBM z-Series" with status "unknown" on Jan 7-2002.
> No iSeries listed. p-Series is vulnerable because of Microsoft.
>
> 2nd point - I would not be comfortable with only the firewall protecting
> your
> network. A decent trojan planted anywhere in your network (from all your
> users that continue to open attachments!) could easily mount an attack
> from inside.
>
> 3rd point - on the iSeries we lived with a very outdated (and with CERT
> warning) DNS server while AIX enjoyed the latest (and more secure)
> version. I feel NO COMFORT that AIX snmp is ok and the iSeries
> is traditionally silent.
>
> <please correct me if wrong>
> 1. SNMP is not started automatically unless STRTCPSVR *ALL is run,
> or if the Change SNMP Attributes (CHGSNMPA) has autostart=*yes.
> To not autostart - run CHGSNMPA AUTOSTART(*NO)
>
> 2. Just scanned the Simple Network Management Protocol (SNMP) Support
> Version 4 book SC41-5412-00 (1997) on website. Not knowing much it seems
> like
> part of OS400 support SNMPv1 and part is SNMPv2. But this statement
> bothers me, page 33 says"The DPI API for OS/400 is the 2.0 level of the
> protocol.
> This is designed to be highly compatible with SNMPv2 even if the SNMP
Agent
> is SNMPv1. (again, this is the only book I could find and is from 1997)
>
> 3. The Tips and Tools for Securing Your iSeries has specific snmp tips.
(see
> Info Center)
> secure port 161 (well known for snmp)
> set snmp server autostart to *no
> <clip>
> SNMP relies on a community name for access. Conceptually, the community
name
> is similar to a password. The community name is not encrypted. Therefore,
it
> is vulnerable to sniffing. Use the Add Community for SNMP (ADDCOMSNMP)
> command to set the manager internet address (INTNETADR) parameter to one
or
> more specific IP addresses instead of *ANY. You can also set the OBJACC
> parameter of the ADDCOMSNMP or CHGCOMSNMP commands to *NONE to prevent the
> managers in a community from accessing any MIB objects. This is intended
to
> just be done temporarily to deny access to managers in a community without
> removing the community. </clip>
>
> Does anyone know a source in IBM to clear this up?
> jim franz
>
>
>
> ----- Original Message -----
> From: "Patrick Townsend" <patownsend@patownsend.com>
> To: <midrange-l@midrange.com>
> Sent: Friday, February 15, 2002 7:41 PM
> Subject: Re: SNMP concerns
>
>
> > Fritz,
> >
> > Interesting. The CERT notice calls out two primary areas of
vulnerability.
> > One in SNMP managers and one in SNMP agents. The AS/400 doesn't have a
> > native manager, so that part doesn't apply to the AS/400. But it
certainly
> > has an SNMP agent and sub-agent support.
> >
> > The denial of service is a well known type of attack. Good firewall and
> > router implementations will help prevent damage from outside sources.
> Since
> > SNMP is almost never run over the Internet, these ports shouldn't be
open
> > anyway. I suspect the risk from an internal SNMP denial of service
attack
> is
> > pretty small. But, as the alert points out, there are steps you can take
> to
> > minimize this type of attack.
> >
> > The vulnerabilities in SNMPv1 are another matter. I couldn't find any
> place
> > where IBM addresses the AS/400 (ahem, I mean iSeries). IBM clearly
states
> > that AIX is not vulnerable. But no mention of iSeris. I hope they will
> > comment on this for the iSeries platform.
> >
> > Patrick
> > ----- Original Message -----
> > From: "Fritz Hayes" <fhayes@spiritone.com>
> > To: <midrange-l@midrange.com>
> > Sent: Friday, February 15, 2002 2:33 PM
> > Subject: RE: SNMP concerns
> >
> >
> > > The CERT Vulnerability Note VU#854306 indicated that the SNMP
processing
> > > of
> > > GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap has
> > > vulnerablities.
> > > These weaknesses include "denial-of-service conditions, format string
> > > vulnerabilities, and buffer overflows."  In addition, "some
> > > vulnerabilities do not require the request message to use the correct
> > > SNMP community string".
> > >
> > > Which means, the SNMP service can be used to compromise OS/400.
> > >
> > > IBM responded with:  "Based upon the results of running the test
suites
> > > we have determined that our version of SNMP shipped with AIX is NOT
> > > vulnerable."
> > >
> > > If Dr. Frank's hypothesis is right, IBM SNMP implementation is
probably
> > > the same for AIX as it is for OS/400.  Which makes my worries go
away -
> > > - Right??????
> > >
> > > I know that SNMP is used regularly on internal networks.  Some people
> > > are even using it to drive their AS/400 printers.  A couple of
customers
> > > want to remotely manage their equipment, using VPN connections on the
> > > Internet.  SNMP could be the right tool, but only if internal hackers
> > > can be kept out!  With the CERT notification,  and in general, is a
> > > properly configured AS/400 susceptible to SNMP attacks?
> > >
> > > Best Regards
> > >
> > > Fritz Hayes
> > > Atwater Associates
> > > <snip>
> > >
> > > |
> > > |We run SNMP on the AS/400 and provide SNMP options in our
> > > |products. What concerns do you have?
> > > |
> > > <snip>
> > > |>
> > > |> So, who out there is running and using SNMP on their AS/400,
iSeries
> > > |> box?
> > > |>
> > > |> A second question, who is using the SNMP protocol over the
Internet?
>
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.