Insecure SNMP v1 and 2c
Insecure SNMP v1 and 2c
As SNMP v1 and 2c are identified by vulnerability security scanner used by our company to be vulnerable, is it possible to disable/remove their components after upgrading to XI 5.7.3? Assume that hosts under monitoring can use v3. Pls specify location of components if it's possible. If not possible, any remediation can be applied to address it?
Re: Insecure SNMP v1 and 2c
Unfortunately there doesn't seem to be a way to force Nagios to speak ONLY SNMP v3. And, since it's the same port for v1, v2, and v3, it's not simple to block packets at a router or firewall level.
If you have more information about what the security scanner found, I'd be happy to help you secure your network.
For instance, if the security scanner tried to send an SNMP v1 packet to the XI server, and it "ate" it instead of rejecting it, that might have counted as a security hole in the scanner's opinion (it's not really a security hole). Or, if the scanner was doing active packet sniffing and detected an SNMPv1 transmission, that might be something to look out for and fix.
Another workaround: If the servers you're monitoring are all "smart" hosts like Linux servers or Windows workstation computers, you can go the route of installing NCPA on them which does everything over HTTP or HTTPS. Then when your entire network is SNMP-free, you can just configure your firewall to block ports 161 and 162. Goodbye SNMP!
If you have more information about what the security scanner found, I'd be happy to help you secure your network.
For instance, if the security scanner tried to send an SNMP v1 packet to the XI server, and it "ate" it instead of rejecting it, that might have counted as a security hole in the scanner's opinion (it's not really a security hole). Or, if the scanner was doing active packet sniffing and detected an SNMPv1 transmission, that might be something to look out for and fix.
Another workaround: If the servers you're monitoring are all "smart" hosts like Linux servers or Windows workstation computers, you can go the route of installing NCPA on them which does everything over HTTP or HTTPS. Then when your entire network is SNMP-free, you can just configure your firewall to block ports 161 and 162. Goodbye SNMP!
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Insecure SNMP v1 and 2c
The scanner is Qualys. It detects SNMP v1 and 2c are used to monitor WAF appliance (Imperva).
Re: Insecure SNMP v1 and 2c
Sounds like one of two things is happening:
- Your WAF is somehow using (or attempting to use) SNMP v1 or v2 to communicate with Nagios -- in which case you should try to reconfigure to bump it to v3
- Qualys is detecting a false-positive in that SNMPv3 is being used, but SNMP v1 or v2 is being detected -- in which case it's a bug in the Qualys scanner
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Insecure SNMP v1 and 2c
WAF now only supports v2, v3 will be supported in next firmware upgrade. Thus can only configure v3 after upgrade completed.
Re: Insecure SNMP v1 and 2c
So the security scanner detected your WAF was using SNMP v2 and it turns out it was. So not a false-positive there.
If you have your heart set on passing the security scan, just temporarily disable SNMP on the WAF until you can upgrade the firmware.
Unless you have any further questions, I'll mark this as resolved.
If you have your heart set on passing the security scan, just temporarily disable SNMP on the WAF until you can upgrade the firmware.
Unless you have any further questions, I'll mark this as resolved.
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.