| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Faulty foundation THE FOUNDATION of a house is important; I know this as well as anyone in earthquake country. One of my neighbors is replacing his foundation without moving the residents of the house. When you think about it, this is relatively easy: Jack up the building, lay the rebar, pour the concrete, lower the house, bolt the beams to the new foundation, and it's done. There might be a brief disruption of power or water, but for the most part it's pretty simple.
The problem is not that ASN.1 is broken, but when it's implemented without proper care, malformed ASN.1 data structures can tank software that makes use of it, such as Kerberos, LDAP, and X.509, as well as SNMP. Although researchers at the University of Oulu in Finland are playing their cards close to the chest about what else might actually be flawed besides LDAP and SNMP, we fear there's an awful lot out there. Since the February CERT advisory, a number of vendors have released fixes for their SNMP-enabled devices, but my guess is that most shops haven't even started to upgrade or replace their equipment. Of course, a very simple task to limit vulnerability is to verify that you're blocking SNMP at the perimeter and disabling it on any system that doesn't absolutely need it. We hope that, eventually, SNMP Version 3 is approved, if only because at least it pays lip service to security. The current Version 1 standard (Version 2 never made it out of draft status) is notorious for relying on the incredibly weak concept of the "community string," which in most cases is left at the all-too-well-known default of "public." Unfortunately, Version 3 may be prey to the same malformed data vulnerability found in LDAP and SNMP Version 1, and that's not good at all. This is why I started this column thinking about foundations. Just as my neighbor's building used to be, SNMP's foundation is resting on sand. If you live in earthquake country, you know the danger of unreinforced masonry -- brick, for example. Unfortunately, we're finding out that most of the Internet is of similarly sketchy construction. Although I haven't heard of any major efforts to attack vulnerable systems using the SNMP holes -- or anything else using ASN.1 -- that doesn't mean it won't ever happen. This only underscores the importance of getting things right from the start. If that means holding SNMP Version 3 until it's been thoroughly vetted for ASN.1 problems, so much the better. P.J. Connolly (pj_connolly@infoworld.com) covers collaboration and security for the InfoWorld Test Center.  RELATED SUBJECTS  SecurityNetworkingMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
