On Fri, 19 Oct 2001 peff-loganalat_private wrote: > On Fri, 19 Oct 2001, Matthew G. Marsh wrote: > > > structure methodology. To that end I am also a big promoter/user of SNMP. > > We make extensive use of SNMPv3 in many of our managed security > > structures. This is the framework behind the following technique: > > I haven't used SNMP in years...what defenses does v3 provide against > spoofing? Assuming that strong cryptographic authentication could be > used, then this sounds like a great idea for doing central system > management. Authentication via SHA or MD5 plus a separate DES encrypt of the data packet using a (optional) different passphrase. Essentially: SNMPv1 - clear text community SNMPv2 - ability to lock down somewhat to users/groups but still clear text SNMPv3 - User/Group lockdown of v2 PLUS: - MD5/SHA hash of user authority passphrase - DES encrypt of data + optional different passphrase - INFORM trap - which is a trap that must be replied to before the client gives up sending. - TCP capabilities I actually use NET-SNMP for all my research and usage as that gives me several additional security measures. Such as: - Daemon process on "client" (managed station) only needs the SHA & DES passphrases specified ONCE on initial configuration startup. It then remembers these values in a hash that is tied to the machine it was generated on. This is true of both snmpd and snmptrapd - this is very cool as someone cannot use a violated client machine to crack your servers or other clients. - TCP_WRAPPERS support for selective reception - TCP connections and INFORM trapping provides additional reliability standard disclaim + -> http://www.net-snmp.org > I suppose you could also just do cryptographic signing at the layer > above SNMP. I assume you're also working on some sort of timeout at the > central server...that is, if you don't receive a hash in N seconds, an > alarm is tripped. Correct - timeout is standard network management procedure. Usually manager stations in SNMP have both regular interval checking (polling) of clients and reception capability for traps. The check I use are part of the standard polling structure. And I actually do much deeper structures on the checks with some randomness thrown in to reduce the average window. > > You have to crack one of these systems within 5 minutes in such a manner > > as to change the OOB logging, AND disable the SNMP trapping mechanism, AND > > disable the host IDS mechanism, AND finally make sure that you send back > > appropriately spoofed hashes. > > This would be a perfect scenario for a ``hacking'' scene from a > Hollywood film. :) Yes - I think with the appropriate skill set and a very well informed attacker it would be feasable - but then technically speaking anything is feasable in the security world. The hard part is getting across the concept of acceptable risk. ;-} > > Nothing is perfect but experience teaches that several short barbed wire > > fences separated by moats is much much better than one large fence... > > Agreed. > > -Jeff > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: mgmat_private WWW: http://www.paktronix.com -------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 09:29:13 PDT