... and while I'm on my poor excuse for an SNMP spiel...
Mikael Olsson wrote: > > Also, it's all based on static keys. Where are the session keys? > > (And don't get me started on the inherent complexity of the > entire SNMP protocol. Recent incidents speak for themselves, > I believe.) - The encryption/authentication buys you nothing in terms of protection against flaws in the BER/ASN.1 decoders, since you need to parse BER/ASN.1 to get to the auth/privacy information. - The framework depends on clock synchronization. If the clocks go out of sync, the managed unit will become unreachable. If this is the managed unit that gets out of sync, and someone goes and fixes its time, you become vulnerable to replay attacks. - Each manager needs a separate entry. If you're tempted to reuse the identity that you use on station A on station B, you again open yourself up to replay attacks. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls