From Network World's Network/Systems Management Newsletter:
Security products over the past decade have considerably hardened networks and systems exposed to public or other high- or elevated-risk environments. Firewalls have effectively limited connectivity to specific services and protocols, while systems exposed in elevated-risk zones have been streamlined down to their essentials, with discovery and remediation of vulnerabilities and exposures in such environments aggressively maintained on an ongoing basis. Security has been addressed in virtually every aspect of the elevated-risk environment. Every aspect, that is, except in some management protocols themselves.
Standard network management tools such as SNMP - the Simple (!) Network Management Protocol - enjoy wide penetration in trusted networks, for the flexibility and efficiency they provide for communicating a broad range of monitoring, event, and control information. Yet – like so much of IT – early implementations of SNMP addressed security almost as an afterthought, if at all. Versions 1 and 2 of SNMP, for example, natively employed only the most rudimentary form of group authentication: community strings, and those were not even encrypted. This renders SNMP v1 and v2 all but moot in elevated-risk network environments such as the DMZ, where the discovery of these early versions of the protocol could be readily exploited by attackers not only to effectively build a map of a potential target network, but to infiltrate and disrupt networks behind the firewall.
Despite such shortcomings SNMP v1 and v2 continue to be widely employed. Not only because their flexibility is highly valuable but also because, in many cases, a widespread upgrade of SNMP to a more secure implementation of v3 is simply unrealistic, given the expense and potential impact of an upgrade on the cost of entrenched but often incompatible management systems. This means that many enterprises either limit their use of SNMP and thereby limiting its effectiveness to networks assumed to be trustworthy (although that assumption may be flawed, as we'll discuss shortly).
In other words:
- SNMP may not be used at all in elevated-risk networks such as the DMZ, which means that managing exposed network points may be reduced to more rudimentary or less cost effective techniques.
- Where network management protocols such as SNMP are considered valuable – or vital – in elevated-risk environments, an upgrade to SNMP v3 is often weighed and just as often, rejected due to the impact of an upgrade or outright incompatibility of existing management systems that would be far too expensive or risky to overhaul.
- As a compromise, some enterprises go to some lengths to secure management protocols, putting together complex combinations of communications security such as tunneling or secure remote access in order to enable the use of tools such as SNMP. This, however, does nothing to mitigate the potential exposure of inadequately secure versions of SNMP, or to promote the deployment of more secure versions when management incompatibilities make an upgrade unattainable.
Why is this issue significant? For one thing, SNMP is arguably the most commonly used network management protocol, yet its security issues make it a challenge to use in elevated-risk environments, if at all. This limits the use and effectiveness of efficient tools such as SNMP in such environments, forcing enterprises to adopt alternatives they wouldn't otherwise use in lower-risk environments.
Of increasing significance is the fact that assumptions of trust within the internal network are undergoing a serious revision, as insider risks become more evident. Without a more secure approach to managing the protocols and tools that manage the network – including the “trusted,” internal network – enterprises may be exposing themselves to more risk than they realize.
With these facts in mind, I’d like to ask our readers two questions: If you could use network management protocols with higher confidence in less trustworthy environments, would you? Would tools such as SNMP make the administration of, for example, today’s increasingly complex enterprise DMZ environment more manageable if they could be used in a more trustworthy way? Would you use SNMP v3 in such environments if it didn't mean forcing an upgrade of the rest of your management regime?
How concerned are you about the risks insiders within the trusted network pose to the use of management protocols with known security issues such as SNMP v1 and v2? Are these issues making you weigh an upgrade to v3 more than before? Would you use v3 where you could, provided a solution that enabled the use of v3 in certain environments wouldn't force you to upgrade other aspects of your network?