ICMP and SNMP – CompTIA Security+ SY0-401: 1.4

Every network and security manager makes extensive use of network management protocols. In this video, you’ll learn how ICMP and SNMP can be used to help manage and protect your network.

<< Previous Video: IPsecNext: Telnet and SSH >>

A useful protocol that’s used all the time by network administrators is ICMP. Stands for Internet Control Message Protocol. And it’s often used to be able to send little messages between computers. An echo request and an echo reply are a couple of very common examples of this. You type in ping and an IP address, what really is happening is an ICP request is made to another server and hopefully you’re receiving an ICP reply. We call those a ping request and a ping reply, but behind the scenes, that’s exactly what’s happening. Now this is really useful for troubleshooting.

It’s very useful for bad guys to be able to do reconnaissance of your network as well. Imagine being able to ping all of the systems in a particular subnet and find out who responds back. Sometimes that’s not what you want. That’s too much information for the bad guys. And you’ll notice that most firewalls, one of their default firewall configurations is to disallow ICMP packets to go through the firewall.

Now, there are other methods of ICMP that can do things like redirect different network connections. You could tell a router that that network’s no longer located over here, it’s located over in somewhere else. That might be a legitimate message or that may be a completely illegitimate message. That might be the bad guys trying to redirect traffic over to their machines. So, usually those are also restricted– at least those particular ICP types of messages may be restricted. And if you ever go out somewhere and you see that you’re trying to ping a device and you’re trying to ping it says, sorry the destination host you’re trying to ping is unreachable, that’s because either that device really isn’t on the network or our security administrator was very smart and restricted access of ICMP through the firewall. No matter how much you try, you’re never going to get a response back.

Another useful network management protocol is SNMP, that stands for Simple Network Management Protocol. It’s used between devices from a management perspective to gather details, metrics, about how those devices are performing. Very often, you’ll have a device that’s in charge has some SNMP software on it that is simply querying the devices, usually infrastructure devices in your environment, maybe asking a router, “hey, on a particular interface, how many bytes have you seen come into that interface?” And the router responds back with 210,506 bytes. Kind of boring. Kind of very dry, but if you start compiling those metrics over long periods of time, you can start to see how much bandwidth might be going through a router.

And these SNMP queries that can be done across many different variables. Many different routers will have hundreds or thousands of SNMP variables that you could query. What’s the temperature inside of a server? How many people are connected to the device at this time? And you can gather a lot of details. If you’re using SNMP Version 1, there’s different versions, three different versions of SNMP currently, this is the one that was original and you’re really asking for some very specific information and getting a response and that entire communication is completely in the clear. It is not encrypted, it is not verified, and anybody who happened to be on the network between those two devices can see exactly what you’re doing.

Now in Version 2, we added some additional capabilities. We could do some data type enhancements of what we were asking for. We can ask for many different metrics at one time and get a big bulk response back. But there was still no encryption. There’s still, from a security perspective, a real concern there.

So, SNMP Version 3, which is the latest standard, it’s the one from a security perspective, you should almost always be insisting on because it checks the integrity of the message that it really came from that device, was authenticated to that device, the message wasn’t changed along the way. So that integrity and authentication become very, very important. And it’s encrypted. And the data that’s going between the SNMP device and the reply that we’re getting back is something that nobody can tap into, to really see what’s going on.

And because this SNMP information can be very detailed about configurations, and status, and amount of traffic, and a lot of details, you need to make sure that only you or people who are specific to understanding how those devices are running, maybe the manager of those devices, can only see this data. This is very, very critical data. If you know what to look at with SNMP, you can gather a lot of information about those devices.

Also from a security perspective, you should make sure that the devices that are out there that support SNMP can only be queried by your SNMP devices that are out here doing the querying. You don’t want a third party to plug into your network and instantly be able to gather information via SNMP. So that’s an important security concern, especially if you’re using SNMP with all of your devices in your environment, to check on the status and availability of those machines.