cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1731
Views
0
Helpful
3
Replies

Nexus SNMP ACL Leaves Port 161 Open

jradke
Level 1
Level 1

I need to make sure that our Nexus switches are hardened on the Internet and I'm really bothered that the ACL for SNMP works but leaves the port open. The ACL works in that if I attempt this from a host not allowed in the ACL, the Nexus will not accept the credentials and reset the connection. However, having the port open is an exploitable condition on any system. Because the Nexus is listening on this port, disregarding the ACL in this fashion, it could be exploited by overwhelming the system with too many connection attempts. There are two ways to see that the port is open and the system is responding to the socket:

 

1. Nmap shows that it is open which means botnets scanning the Internet will find this port open when it shouldn't be. 

2. If I telnet to any of the public interface IP's on port 161 I get a prompt. If I sniff the tcp/telnet session I get a syn, syn/ack, ack from the Nexus proving the port is open and responding from an invalid hosts attempting to reach the Nexus on the SNMP port.

 

What I'd expect is that a SNMP tcp syn is received on any public interface and the Nexus should not respond if it is not a valid IP source in the ACL. Instead, the Nexus is entertaining the prospect of the tcp conversation on the snmp port by responding on the port. 

 

How can I fix this problem to adequately harden this system from SNMP requests attempts?

 

Setup:

Nexus 9318 running 9.2.1

Simple config:

snmp-server community password1111 group network-operator
snmp-server community password1111 use-ipv4acl SNMP

 

IP access list SNMP
10 permit udp 10.x.x.0/24 any eq snmp log
20 permit udp 10.y.x.0/24 any eq snmp log
30 deny ip any any log

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

ACL should able to fix this issue, but Nexus have out of bandmanangment interface, this is meant to be for manangement purpose, these interface not intenet to expose to public internet side facing.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So the solution is to place an additional ACL to block SNMP on each port exposed to the Internet to make the SNMP ACL work properly? That isn't sound engineering and I hope that's not Cisco's answer.
FYI: I use the OOBM interface for management, syslog, ntp, and SNMP. Unfortunately, Cisco does not export Netflow out the OOBM interface and my netflow analyzer expects to gather SNMP data from the IP that it is receiving netflow from. Regardless, SNMP is still running on the box and not exclusively on the OOBM interface and the ACL should NOT ALLOW connections rather than shut them down AFTER they have connected.

Sluchik
Level 1
Level 1

I had the same issue

To solve the problem, I used the Cisco Bug instructions: CSCuz15392.

- show sockets connection tcp | i 161

- no snmp-server protocol enable

- show sockets connection tcp | i 161

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: