The past several weeks have brought a lot of press talk about the Great SNMP Crisis.
Suddenly, because a group of researchers in Finland reported that SNMP has weaknesses (duhhh…) we hear the mainstream press saying that the Internet is on borrowed time. That may be, but it’s not because of some new (old) vulnerabilities in the protocol that “manages the Internet.”
While it is true that there is (and always has been) a set of weaknesses stemming from the use of ASN.1 (the formal method that defines how SNMP behaves, independent of the programming language in which the implementation is written), that doesn’t necessarily mean that we should all shut down our computers and seek a different way to do business.
In fairness, there is a problem and only a numbskull would ignore it completely. First, the technical issues are fairly broad. It is a fact that no SNMP implementation tested by the research group survived the testing. For the most part it was denial-of-service that killed the fatted router (or switch, or whatever). That’s a bad thing for certain, and no mistaking. However, that problem is manageable.
The key is to install vendor patches as fast as you can verify them in your environment, turn off what you don’t need and review your security architecture. If you depend on a single point of protection (“we don’t have security worries – we have a firewall”) you’re in deep trouble already – a vulnerability such as this one just makes it worse. Your security architecture should be a consummate exercise in defense in depth. If a device protecting you fails, what then? If you yawn and tell me that the next level of defense will hold until you fix the first one, you’re on the right track and the great SNMP crisis won’t hurt you (much).
However, there is a much more important debate that needs public airing: how much disclosure of vulnerabilities is a good thing? This one has been going on in the back rooms and bars of security conferences since there were such things and I don’t think we’re any closer now to an answer than we were at the dawn of time.
The research team practiced what they call “constructive disclosure.” This means that they didn’t tell you which devices they tested and what the results were, they just gave you the tool and said “test your own.” Six million wannabe computer hackers jumped for joy on that one, went to the site, down loaded the tools and got to work. Unfortunately, like the five-year-old who is suddenly in the seat of a fighter aircraft and doesn’t know what to do (“gee, this looks just like my video game”), these script kiddies pull the trigger with no concept of what’s really happening. That could get really messy. Wasn’t there a better way to get this into the right hands without throwing it into the vast unwashed public hands without comment?
It is not likely that this set of tools, in whoever’s hands, will kill the Internet. It might wound it, but the Internet is built in such a way that even an attack on all the major backbones would result in the attacker painting him or herself into a corner without access to complete the job. Spot attacks against individual sites are more likely and corporate entities would be well advised to shore up their defenses and weather this storm as they have since the Internet opened for business.
Peter Stephenson is the director of technology services for QinetiQ Trusted Information Management, Inc. He may be reached at email@example.com.