Back to SNMP and other things

I used to hate SNMP.  I’m not sure I still don’t.  It’s been annoying to set up.  I’m still fighting with SNMPWALK on SNMPv3 and getting data from a Cisco router and switch. Eh well. I’ll get into that at some other point.  

I have to admit Cacti was one of the better than I thought it could be.  I followed the right instructions and have started doing some SNMP polling and producing some decently relevant graphs on information someone in IT would think could be important.  Luckily, I happened to set it up on a site that had Internet issues later that day.  It worked out great because I ended up diagnosing the issue while trying to connect to my Cacti web page.  Turns out there was interference on the network in the area and the site was dropping about 18% of packets.  Which explains why they were having network connection issues. 

 The other thing I keep looking and thinking about is network security.  Which seems to be something everyone says they need, but no one does anything about.  I pissed off a networking vendor because I told the person I wanted three single purpose servers instead of one multipurpose server.  Everything I've ever read on servers says one purpose per server.  Don't end up with a multipurpose server. 

Eventually, the server needs replaced.  And then you have numerous tools that need replaced or fixed in order to solve all the problems you used with that server.  I mean sure, the RADIUS / print / file server / new thing part two server is great.  But wouldn't it be simpler to have a RADIUS server that does nothing but RADIUS authentication.  Or a print server that does nothing but handle printing.  And then, when you need to upgrade that server you take down one function.  Instead of the 25 different things running on one server.  

I guess the second part of that conversation is "don't turn on any service that you don't need" on a server.  Great.  That's a lot simpler with a single purpose server.  The print server doesn't need to do anything but print.  The file server needs fat bandwidth to reach it, and that's about it.  Virtualize it all.  It's not like you need a physical server for all that.  

But what do I know?  

Network Baselines

Like I said, I’ve been working on network baseline analysis.  Beginning problem is that I don’t have a baseline to begin with, nor do I have any way to examine the current baseline of the network.  So, I’m at a loss of where to start. 

I read one book where a basic baseline can be created by pinging all available hosts.  It’s not the greatest baseline, but it is the beginning, and it’s better than nothing.  What I’ve got is nothing.  So what I did is wrote a batch file using a FOR loop to ping all devices and print the output to a file.  After that, I ran an arp –a and appended that to the end of the file. 

So it’s not the greatest baseline.  But it does give me an idea of what standard network performance should be, at least as far as PING goes.  I guess the next part is trying to dump the information into a webpage or a database so the information can be examined later and compared to what it has been at various points. 

I guess I should probably add the ITILv3 documentation to my reading list.  The only problem is I’m not definite the ITIL information actually provides information on how to baseline a network.  I understand the basics and the conceptual theory.  It’s a matter of going out and doing the work.  And sorry, SNMP is not the way to baseline.  Everyone has it turned off due to the insecurities in the system. 

Just a quick look at Cisco, and the only encrypted version they have only supports DES.  So the options are send the data as plaintext, or send it as an algorithm that has already been replaced due to inherent weakness.   15 years ago, DES was cracked in 22 hours.  15 years ago, I was happy with 400 MHz processor running 128 Mb of RAM. 

In comparison, I’m writing this on a laptop with an Intel Core i5 running at 2.5 GHz with 4 GB of RAM.  Shot in the dark, but I think a couple of these suckers could crack DES in a day.  And if someone breaches your network and doesn’t get caught, then what is a day?  What is 10 days? 

More things I should probably know: SNMPv1/2 and SNMPv3

In the category of more things I should know (AKA I hate printers).  

Printers are often built off Simple Network Management Protocol (SNMP).  SNMP could have been a great thing.  It allowed a lot of different things to be done remotely, and was great for the system administrator miles away from the site.

Then people realized that SNMP version 1 and 2 have no real way to be secured.  None.  There is no way to create secure SNMPv1/2.  So the only thing to do is turn it off on the printer.  After you turn off SNMP v1/2 on the printer, your printer goes offline and now you can't print.

The Windows troubleshooter tells you the printer is powered off.  You moan.  You groan.  You Google things.

Anyways, the answer is in turning off SNMP on the device.   Note this problem only applies to network printers.  USB printers don't have this issue because they have a direct connection.

In Windows 7, navigate to devices and printers.
Right click the offending printer.
Printer properties.
Ports tab
Find the check marked tab, and hit configure port.

See that lovely SNMP Status Enabled check mark?   Get rid of it.  

Ok until you are out of all the messages, and magically your offending printer spits out 85 sheets of paper because someone hit the print 30 times, thinking they hadn't hit the button.

Now that you've solved the Windows problem, it's back to the printer.

So, the printer companies occasionally make software to check on their printers and get meter readings.  Larger companies lease printers and charge monthly and for printing more than an allocated amount.  Or they charge by the page.  For those companies to make and collect their money, they have a tendency to use SNMP to get readings from each printer.  Compare the beginning from the ending, and you have pages used.  

Simple.

But SNMP v1/2 aren't secure so you have to find how to turn on SNMPv3 on the printer.  That's usually a matter of finding some sort of web interface and then setting up the read and read/write strings.  That usually varies by printer manufacturer.  

So what about Windows?  Windows doesn't support SNMPv3, and Microsoft is removing SNMP support in future versions of Windows.  If you really like SNMPv3, and can't live without it you have to find your own SNMP tool.

I find SNMP interesting, but the inability to secure it properly and the need to get 3rd party support to get it working properly tells me the easiest thing to do is turn it off and get rid of it.

FYI, SNMPv1/2 vulnerabilities are considered bad ones and will cause a failure in internal PCI compliance scans.