Config Management Tools = Huge Gaping Security Hole?

redwarriorredwarrior Member Posts: 285
I've been playing with some configuration management tools like Kiwi CatTools and Solarwinds Cirrus. I'm incredibly impressed with how powerful these tools are and how handy they can make managing multiple devices and backing up configs. However, one thing that makes me a little nervous is that these tools all tend to store the snmp community string, usernames, and passwords and then allow a user to issue commands to multiple devices without having to log in to any device. While that's handy from an administration standpoint, it makes me cringe a bit from a security standpoint.

Does anyone use these tools at work and have some best practices they'd like to share as far as how to mitigate the risks associated with them? I was also wondering about snmp in general as far as best practices if you are using a centralized server or system to collect snmp data for logging and alerts.

Thank you in advance! icon_cool.gif

CCNP Progress


BSCI - In Progress <--My Cisco Blog


  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Those are tools that make a CCNPs life easier -- not the CCSP responsible for securing the network infrastructure.

    Insure physical security on the equipment. Restrict in-band management to IPSec VPNs and specific management networks. Use SNMPv3 where possible and limit any "must have" tools to specific management workstations. Require individual management user authentication and log all management access. Fire network management personal for violating any security policy.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • pr3d4t0rpr3d4t0r Member Posts: 173
    And use Domain Controllers to enforce security policies to your workstations. :P
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    If you do use applications that store credentials locally make sure the workstation/server they are on is extremely secure. Definitely use a good HIPS/Firewall/AV setup, ensure the local and domain accounts are using very strong passwords and if it's a mobile device/if you can't absolutely ensure physical security full-disk encrypt it (Truecrypt 5.0a is a great/free encryption system). If the end devices can terminate IPSec tunnels use them (it's easy enough to setup IPSec policies on your client to respond to request for IPSec on head end devices), use the most secure versions of the management protocols the applications are using (ie. use SSH instead of telnet, https instead http, SNMP v3 etc.).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.