|
We are using Qualys from IBM to do internal, and external, security
detection on our equipment. Apparently it has an issue with the level of
SNMP (or perhaps my implementation of it) utilized by our IBM i at 7.1:
THREAT:
Simple Network Management Protocol (SNMP) is an "Interrnet-standard
protocol for managing devices on IP networks."
The authentication of clients of earlier versions of SNMP is performed
only by a "community string", in effect a type of password, which is
transmitted in cleartext.
The Internet Engineering Task Force (IETF) has designated SNMPv3 a
full Internet standard, the highest maturity level for an RFC. It
considers earlier versions to be obsolete designating them ("Historic").
IMPACT:
The system is at high risk of being exposed to security
vulnerabilities. Since the vendor no longer provides updates, obsolete
software is more vulnerable to viruses and other attacks.
SOLUTION:
Disable or remove SNMPv1/2c authentication. Use SNMP version 3
authentication
SNMPv3 provides additional security features:
Confidentiality - Encryption of packets to prevent snooping by an
unauthorized source.
Integrity - Message integrity to ensure that a packet has not been
tampered with in transit including an optional packet replay protection
mechanism.
Authentication - to verify that the message is from a valid source.
Workaround:
As a temporary measure, block access to SNMP services at the network
perimeter.
In situations where blocking or disabling SNMP is not
possible,restrict all SNMP access to separate, isolated management
networks that are not publicly accessible.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.