I have a Vigor 3300 and have to perform a PCI scan for our online payments.
The scan keeps reporting that port 161 (SNMP) is open and needs addressing. I have updated the firmware on the 3300 to the latest version as it said you could disable SNMP.
How do you actually disable it as I can see no selection in the GUI to do it?

thanks for help

Rob

It should be under System > Access Control, you'd see the tickbox on there. If not, maybe check with draytek support if they've got a specific firmware to help with that.

robertb24 wrote: I have a Vigor 3300 and have to perform a PCI scan for our online payments.
The scan keeps reporting that port 161 (SNMP) is open and needs addressing.Rob

Ignore it. SNMP is often a critical resource on networks. How else are you expected to get information from the devices?

The PCI compliance would not complete with this open. Draytek have provided some new firmware and created some additional rules for me which has now made it compliant.
You also cannot ignore what the scan says :

Description: SNMP is enabled and may be vulnerable Severity: Potential Problem CVE: CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 Impact: If a vulnerable implementation of SNMP is running, a remote attacker could crash the device, cause the device to become unstable, or gain unauthorized access. Resolution For the HMAC length 1 security bypass vulnerability, [http://www.net-snmp.org/download.html] update to NET-SNMP 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1, or UCD-snmp 4.2.7.1 or get updates for other products from your vendor. There are a number of measures which can be taken to reduce the risk of this vulnerability being exploited. Apply a [http://www.cert.org/advisories/CA-2002- 03.html#vendors] patch from your vendor if one is available. (IRIX users should also refer to [ftp://patches.sgi.com/support/free/secur ity/advisories/20020201-01-P] SGI Security Advisory 20020201-01-P, and Sun users should also refer to [http://sunsolve.sun.com/pub-cgi/retriev e.pl?doc=secbull/219] Sun Security Bulletin 219 for patch information.) Change all community strings to non-default strings which are difficult to guess. Block access to UDP ports 161 and 162 at the network perimeter. Disable the SNMP service on machines where it can be disabled and is not needed. There are a number of additional precautions which should also be taken wherever possible: Filter SNMP traffic from unauthorized internal hosts Segregate SNMP traffic onto a separate management network Block incoming and outgoing traffic (ingress and egress filtering) on ports 161, 162, 199, 391, 705, and 1993, both TCP and UDP Block incoming traffic destined for broadcast addresses and internal loopback addresses Disable stack execution For more information on these precautions, see [http://www.cert.org/advisories/CA-2002- 03.html] CERT Advisory 2002-03. Vulnerability Details: Service: snmp

Oh, what a load of crap PCIDSS truly is

"If a vulnerable implementation of SNMP is running, a remote attacker could crash the device, cause the device to become unstable, or gain unauthorized access"

I'd like the PCI council to show me any internet service where that does not apply - is the PCI scan OK with the router running a web server? Cos a vulnerable impl of that could allow an attacker to break in and upload a custom firmware that steals passwords, inserts trojans into downloads and copies credit card numbers.... Rolleyes@PCIDSS hypocrisy

So true... PCI is the biggest money spinning waste of time I have ever encountered. All leveraged by the banks.