Firewalls and SNMP

Firewall Builder has extensive Simple Network Management Protocol (SNMP) functionality. SNMP provides an easy means of polling SNMP-enabled network devices and hosts for configuration information, and even for pushing new configuration instructions back to them (though Firewall Builder only polls).

Personally, though, I've never been comfortable using SNMP in security contexts. SNMP transactions are authenticated by community strings, or passwords, that are transmitted in clear text—no encryption whatsoever. It's therefore trivially easy to sniff SNMP community strings off of shared network media, such as standard (nonswitched) Ethernet and cable-modem segments. Even over switched Ethernet, sniffing is sometimes possible.

SNMP, therefore, is a risky way to view or change the configurations of things over non-trusted networks; it's not a stellar way of doing it over semi-trusted networks either. Remember, most network security incidents are perpetrated by insiders.

Furthermore, the UC-Davis SNMP package included with most Linux distributions has a history of security vulnerabilities. Under no circumstances should you run this or any other SNMP dæmon on any bastion host or firewall system. It doesn't matter that SNMP libraries are required by Firewall Builder. As I stated earlier in the article, you should avoid running Firewall Builder on firewalls and bastion hosts too.

Whether and how you leverage Firewall Builder's SNMP functionality is up to you. But you won't find out how from this article.