You may not have encountered any such problems with your SNMP agents, but your network may still be compromised. The developers of Hewlett-Packard OpenView, Computer Associates Unicenter and Tivoli NetView took the time to code around incorrectly implemented SNMP agents. Therefore, if you're using one of these network-management applications, an SNMP agent may work well with it yet still be vulnerable or incorrectly implemented.
|
Good News
complete vulnerability tests for SNMPv1, v2 and v3.
Mature test methodology, even though the product is version 1.0.
Provides Test reports your vendors can't ignore.
Easy to install and use.
Bad News
complete vulnerability tests for SNMPv1, v2 and v3.
Mature test methodology, even though the product is version 1.0.
Provides Test reports your vendors can't ignore.
Easy to install and use.
|
'Lite' version, Heavy Reporting
Boreal is a "lite" version of InterWorking Labs' SilverCreek SNMP development suite, which has thousands of comprehensive tests cases. Still, Boreal is thorough: It contains about 200 SNMPv1 and v2 tests and 200,000 test cases for each of those versions. It also has about 200 SNMPv3 tests and a little more than 350,000 v3 test cases. The Boreal suite of tests delves deeper than other SNMP scanners--Boreal also tests SNMP compliance.
Each test focuses on a particular problem and the test cases are variations of a theme. You can change values incrementally for each test. For example, when a test sets an invalid value and gets the expected results--a rejection of that test--the value set in the test is changed to fully exercise the boundary logic in the SNMP agent.
Setting up a test was simple. I entered an IP address, port numbers and basic retry values. Boreal provided the usual three retries and five-second time-outs but also allowed for linear and exponential retry formulas. This sounds like overkill for most situations, but it's supported by evidence of the maturity of the underlying test engine from which Boreal is derived. The defaults will work in most cases, but you can work around site-specific implementations.
Take a Lunch Break
The testing is slow. This isn't a knock on Boreal--it's simply an indication of the product's completeness. I selected the default set of SNMPv1 tests--slightly more than 100 tests. I tested a handful of devices, including a Cisco Systems 2900 switch and 7200 router, a NexLan router and Microsoft Windows NT and 2000 servers. With about 200,000 test cases set to run, I went to get coffee, but I could have gotten lunch--it took more than an hour to run the complete set of SNMPv1 tests. Still, I was given enough control in the application that I could select particular tests to stop or skip. In every case, Boreal found problems with the SNMP agents.
One type of test sets a very long community string in an attempt to overflow a buffer. Boreal annotated the expected outcome--overflow--as the SNMP agent discarding the request, and it continued to process the SNMP request. Each test explains what is being tested and outlines the expected results. If a test fails, a window details what failed and shows a comparison of the expected output with the actual output. In some instances--with the Cisco, Windows SNMP and NT agents, for example--the agent continued to function. But other times--with the NexLan router, for one--the SNMP agent and the router both failed. Boreal summarized the results of the tests in a main test setup and status window and created specific reports for each test. The small, text-based reports can be e-mailed to vendors easily.
|
Vendor Information
Boreal for Network Administrators, $1,295. InterWorking Labs, (800) 459-9817, (831) 430-3610; fax (831) 430-9144.
www.iwl.com
|
Once, when starting a new test after successfully completing a set of tests, I ran into a TCL error. In addition to the usual OK and skip options, I was allowed to see the TCL stack, making it easy for me to provide feedback to InterWorking Labs on the specific problem.
Because Boreal often crashed the SNMP agents of the devices under test, retesting called for restarting those agents. InterWorking Labs could address this issue by adding a basic MIB browser to check on specific agents before beginning tests. Given that Boreal can cause instability in poorly implemented devices under test, it's wise to schedule some downtime before conducting tests on production devices.
Boreal runs on Sun Solaris 2.6 or later, Red Hat Linux 6.2 or later and Microsoft Windows 9x or later. The hardware needs 20 MB of disk space, 32 MB of RAM and an Ethernet card. I ran it without any problems over both wired and wireless connections.
In light of the CERT advisory, SNMP monitoring should be on your agenda. Given the experience and focus of InterWorking Labs with SNMP and its weaknesses, it's very doubtful that any security vendor will have the chops to provide a better assessment of network SNMP vulnerabilities.
Bruce Boardman is executive editor of Network Computing. He has 12 years' experience managing networks and distributed computing for a financial service provider. Send your comments on this article to him at bboardman@nwc.com.
RSS
