SNMP problem with passport 8600

[guygt]

Hi all,
I have a bit of a problem which I don't know how to solve.
I have changed the rwa and the ro string.
When our security department made a penetration test, they discovered this fact: when they try to communicate with SNMP, from allowed networks (which are on the access-policy list), with default community --> public, private;
They CAN communicate with the passport and get the full Monty (sys, ifindex and that kind of stuff!!!)
How do I get rid of the default communities?


You have to dream of being a Pro before you become one !

 

[InDenial]

A passport has several community strings..

ro
rw
rwa
layer2
layer3
I believe there are six.. but I can not remember the last one.

you have to set community strings for all of them.. I think the layer2 also has public as community string.. hence... they could query the information you posted.

InDenial

 

[netmanrick]

You have a gaping security hole in your core device.
Create your own community string(s) and get rid of public/private!

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[Googer]

InDenial, I have not heard of ro, rw, rwa or layer community strings. I know these are logins but I have not heard they are community strings. Can you please provide more info on how to see these community strings?

As far as the read/write community strings go. I only have to change them on my switch and it works the new and not the old. I do have to change them on both switch fabrics however. Did you make the change to both switch fabrics? Are you able to login with DM using the public/private community strings? Are you able to log in using the new community strings?

Googer

 

[InDenial]

I am not sure wich software version you are using and the exct number does not matter much, but in the past community settings were visible doing a show config. Newer software versions don't show the snmp community strings when doing a show config. From memory I think a show snmp info will bring up the snmp info.

From the manual:

Configuring and managing security

Setting the SNMP community strings
SNMP community strings are required for access to the switch using Device
Manager or other SNMP-based management software.
To set SNMP community strings, use the following command:
config sys set snmp community <ro|rw|l2|l3|rwa> <commstr>
where:
ro|rw|l2|l3|rwa is the choice of community. ro is read-only, rw is read/
write, l2 is layer 2 read/write, l3 is layer 3 (and layer 2) read/write, and rwa is
read/write/all.
commstr is the input community string up to 1024 characters.

And about the two switch fabrics. Although you are saving the config and the bootconfig to the standby switchfabric, those configurations won't be active untill the active card resets and the stadby becomes active.
In the situation where there is no impact switching the fabrics I would switch the fabrics twice (also to check if the standby card works like it should)
In the situation where there IS impact you can do a peer telnet and set the security information directly on the standby fabric.

InDenial

 

[guygt]

10X all,
InDenial, it was the layer2, layer3 problem, as you said.


You have to dream of being a Pro before you become one !

 

[iamsantino]

FYI,

we had this problem as well, it turned out that our Passport had a layer1 user, whose default string was private. It took a while to find out, because the config file only showed

sys set snmp community ro ****
sys set snmp community l2 ****
sys set snmp community l3 ****
sys set snmp community rw ****
sys set snmp community rwa ****

The l1 only came up with a show sys community command.