Securing SNMP on Solaris
Sidebar 1 | Sidebar 2
| Article
Reg Quinton
Solaris 8 (also known as Sun OS 5.8) is often configured with a large suite
of network services, including several daemons for the Simple Network Management
Protocol (SNMP) and related services, especially the Desktop Management Interface
(DMI). If you are concerned with the security of your system, you should consider
eliminating or hardening each service offered (see recommendation of CERT Coordination
Center). The default SNMP configuration, while perhaps reasonably secure, can
be made substantially more secure with a little effort. If you require SNMP
services (e.g., to monitor a server in case of failover), you should configure
it better. Recommendations are provided in the Sidebar
"What Have We Sacrificed".
I believe the observations made here apply equally to Solaris 7 and Solaris 2.6 (the two previous
releases of Solaris) but have not confirmed that on both platforms.
The Problem
We have a Solaris 8 system (call it wally) that was configured with default
SNMP services as provided by the vendor. Our operations staff monitor the status
of the system using the InterMapper, and we wanted to restrict the SNMP service
on our Solaris 8 system to just that one station (call the monitor ratbert)
see the Intermapper Sidebar.
Our basic problem is to configure wally to only answer SNMP questions from ratbert.
Why would we even consider this problem -- the ratbert system is busy monitoring wally, what's
the big deal? Some things to consider:
1. Given that you've done nothing special to allow ratbert to monitor wally, what's to prevent others
from doing the same thing? Hackers use SNMP to profile a system before launching an attack.
|
