Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Searchable, convenient, complete TCP/IP information.
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)
      9  TCP/IP Network Configuration and Management Protocols (BOOTP, DHCP, SNMP and RMON)
           9  TCP/IP Network Management Framework and Protocols (SNMP and RMON)
                9  TCP/IP Simple Network Management Protocol (SNMP) Protocol
                     9  SNMP Protocol Operations

Previous Topic/Section
SNMP Protocol Information Notification Using Trap(v2) and InformRequest Messages
Previous Page
Pages in Current Topic/Section
1
2
3
Next Page
 SNMP Protocol Messaging and Message Formats
Next Topic/Section

SNMP Protocol Security Issues and Methods
(Page 2 of 3)

SNMPv1 Security

Unfortunately, the security incorporated into SNMPv1 was extremely limited; it really took the form of only one policy and one simple technology:

  • “Weak Objects”: SNMP was created with the mindset that the MIB objects used in the protocol would be relatively weak. This means that the objects are designed so that any problems in working with them result in minimal damage. The policy of the designers of SNMP was that MIB objects that are normally read should not contain critical information, and objects that are written should not control critical functions.

    So, a read-only MIB object containing a description of a machine is fine, but one containing the administrative password is not. Similarly, a read-write MIB object that controls when the computer next reboots is acceptable, but one that tells the object to reformat its hard disk is (definitely) not!

  • Community Strings: All the devices in an SNMP network managed by a particular set of network management stations are considered to be in a “community”. Each SNMPv1 message sent between members of the community is identified by a community string that appears in a field in the message header. This string is like a simple password; any messages received with the wrong string will be rejected by the recipient.

These security features are better than nothing, but not much. The use of weak objects is comparable to a policy that says not to leave your car in front of the convenience store with the doors unlocked and the key in the ignition—it is basically saying “don't ask for trouble”. This is wise, but it’s not a complete security solution. The community strings protect against obvious tampering in the form of unauthorized messages. However, the strings are sent in plain open text and can easily be discovered and then used to compromise the “community”. So this is like locking your doors when parking your car—it protects against the casual thief but not a pro.

Of course, for some people, not leaving their car running and locking the doors when they park are enough security, and SNMPv1's security was also sufficient for some users of SNMP. But in newer, larger internetworks, especially ones spanning large distances or using public carriers, SNMPv1 wasn't up to the task. This is why all that fun stuff occurred with SNMP version 2.


Previous Topic/Section
SNMP Protocol Information Notification Using Trap(v2) and InformRequest Messages
Previous Page
Pages in Current Topic/Section
1
2
3
Next Page
 SNMP Protocol Messaging and Message Formats
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.