The Computer Emergency Response Team's recent warning abut security holes in the Simple Network Management Protocol was a fairly serious affair-provided you are boneheaded enough to be using an ancient version of SNMP or to be transporting SNMP traffic across corporate firewalls. Regrettably, judging from the response worldwide to the CERT study, boneheadedness seems to be the rule, not the exception. And that gives SNMP a bad name.

A study group from Oulu University in Finland identified several vulnerabilities in SNMP that could be exploited by hackers who take advantage of network management messages. But the study was based on a derivative of SNMPv1 that was optimized at UC Davis and distributed by the NetSNMP freeware group. The Davis code originally was released in the early 1990s, just a few years after the original SNMPv1's launch in 1988. It has no business being used in public or private networks in the 21st century.

Not only are far too many corporations and Internet service providers trying to get by with archaic network management code, but several are trying to manage hubs and routers at distributed sites by sending probes across a public network. Firewalls and demilitarized zones are put in place for a reason, folks. They are not to be breached for expediency-a lesson few seem to have learned when establishing centralized management consoles to oversee disparate networks.

The sad thing is that carriers and ISPs have been trying to reduce costs by moving away from proprietary network management systems, based on TL-1 and other older languages, and toward open management systems based on SNMP. Many public network managers will give the CERT study a cursory glance and come to the conclusion that SNMP is not ready for prime time. But the software companies that have specialized in building multisite management packages out of more recent releases of SNMP have put security and fault tolerance at the top of their lists. This isn't about the poor state of SNMP; it's about the abuse of old legacy code.

In times of recession, corporate IT purchasers, as well as asset managers at public-networking companies, strive at every turn to reuse, make do, paste over and otherwise avoid all corporate expenditures until the recession is over. The danger, as can be seen in the SNMP scare, is that old code is old for a reason.

Companies need to turn to new versions of firewalls, DMZ controllers, encryption programs and network-management packages. They must not assume that a decade-old version of SNMP can keep their networks secure today.