Re: SNMP firewall management
Agreed. SNMP for firewall management is weak. but not for the NetGAP, and Adminiweb. it used to show stats, graphs, analaysis. change a few definitions, (interfaces management) that's it. it's not SpearHead's app to set the policy at all! it's just an addon. Thanks for all the help ben. p.s Denmark Senegal - 1:1 by now... -Shay Hugi -Mpthrill.com - Original Message - From: Ben Nagy [EMAIL PROTECTED] To: 'Shay Hugi' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 9:55 AM Subject: RE: SNMP firewall management -Original Message- From: Shay Hugi [mailto:[EMAIL PROTECTED]] [...] thread? um... Um, did you _read_ the thread? Hello? i created this thread... Take a good look. Oh, Hello? is it? Well, I _was_ being polite, but... What I was implying is that it's obvious that being able to string together an email message doesn't imply an ability to carefully read and think about the replies to the thread. (the DDM is just an example for a GOOD snmp management system via web environment) Based on what evidence? Yeah.. I would manage a firewall under SNMP, if i define a specific internal IP to be the NMS. Some people peirce their genitals, too. Please read about UDP, network sniffing and IP spoofing. and if you think it's not secured let me give you the URL for the management server (i'll map a new nat entry, so the management system will be available for you, from my local lan). that already HAVE the ability to manage the firewall. tell me what flaws you've managed to find. (if You'll ever know the password) In the first place you're a lunatic for making such an offer, and in the second, why would you expect random people on the 'net to do your security testing for you? There is more to security than passwords, young padawan. -Shay Hugi -Mpthrill.com [...] If you think that you can offer some serious evidence for the durability of managing firewalls via SNMP (which, IMNSHO is crazy) then feel free to continue this discussion. As it is all you've done is assert that one particular product, for a specific market, which is designed to manage cable modems, uses SNMP and is good. This is me waving my index finger in little circles. *wave wave wave* SNMP doesn't offer confidentiality, is brittle against concerted attack, runs on UDP which makes spoofing trivial, and is so complex that a large proportion of the SNMP implementations have had problems recently (and they ran fine and were considered good for years). In addition, to manage any firewall you need an app designed specifically for it (to handle all the set requirements) which puts you right back in the specialised app camp, except using probably the worst communications channel anyone could think of - I mean _damn_ I'd rather use telnet than SNMP - at least it's TCP which makes it harder to spoof! I don't think there's any doubt that SNMP is a really bad choice for a communications channel between a management station and a firewall. The fact that something that is essentially an Enterprise manager for completely different products with different needs can have firewall management tacked on somehow doesn't make it a good way to approach what was, after all, a specific problem, viz remote firewall management. I _really_ must go and watch the rest of Senegal v Denmark. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
RE: SNMP firewall management
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Shay Hugi Agreed. SNMP for firewall management is weak. Yay! but not for the NetGAP, and Adminiweb. it used to show stats, graphs, analaysis. change a few definitions, (interfaces management) that's it. Which is fine, and a perfectly reasonable thing to do with SNMP. Personally I don't think firewall MIBs should have anything other than performance and interface stats (certainly not retrievable policies), but that's just me. As I said a few times, I have nothing (much) against RO SNMP, although I'd prefer it if people managed to write their SNMP implementations better (how hard is it? You give me an OID, I give you a string. Sheesh.) p.s Denmark Senegal - 1:1 by now... Yeah - that early penalty - pshaw! -Shay Hugi -Mpthrill.com Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
RE: SNMP firewall management
but not for the NetGAP, and Adminiweb. it used to show stats, graphs, analaysis. change a few definitions, (interfaces management) that's it. Which is fine, and a perfectly reasonable thing to do with SNMP. Personally I don't think firewall MIBs should have anything other than performance and interface stats (certainly not retrievable policies), but that's just me. As I said a few times, I have nothing (much) against RO SNMP, although I'd prefer it if people managed to write their SNMP implementations better (how hard is it? You give me an OID, I give you a string. Sheesh.) As long as it is restrictive, and you aren't flashing stats to the world smile, and not allowing interface management openly to all that bekon. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
Re: SNMP firewall management
Ben Nagy wrote: As I said a few times, I have nothing (much) against RO SNMP, although I'd prefer it if people managed to write their SNMP implementations better (how hard is it? You give me an OID, I give you a string. Sheesh.) On a sidenote: Having been involved in implementing an SNMP (read-only) agent, I must say that I have _no_ problem in understanding why all those vulnerabilities came to be. Decoding BER-encoded PDUs and all that comes with it is a recipe for disaster. The people that put the S in SNMP must have had a really twisted sense of humor. (Although note that I'm in no way defending those that botched it. The more complex something is, the more you should audit it, so, yeah, you're definately right.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Senex semper diu dormit ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
RE: SNMP firewall management
-Original Message- From: Shay Hugi [mailto:[EMAIL PROTECTED]] [...] thread? um... Um, did you _read_ the thread? Hello? i created this thread... Take a good look. Oh, Hello? is it? Well, I _was_ being polite, but... What I was implying is that it's obvious that being able to string together an email message doesn't imply an ability to carefully read and think about the replies to the thread. (the DDM is just an example for a GOOD snmp management system via web environment) Based on what evidence? Yeah.. I would manage a firewall under SNMP, if i define a specific internal IP to be the NMS. Some people peirce their genitals, too. Please read about UDP, network sniffing and IP spoofing. and if you think it's not secured let me give you the URL for the management server (i'll map a new nat entry, so the management system will be available for you, from my local lan). that already HAVE the ability to manage the firewall. tell me what flaws you've managed to find. (if You'll ever know the password) In the first place you're a lunatic for making such an offer, and in the second, why would you expect random people on the 'net to do your security testing for you? There is more to security than passwords, young padawan. -Shay Hugi -Mpthrill.com [...] If you think that you can offer some serious evidence for the durability of managing firewalls via SNMP (which, IMNSHO is crazy) then feel free to continue this discussion. As it is all you've done is assert that one particular product, for a specific market, which is designed to manage cable modems, uses SNMP and is good. This is me waving my index finger in little circles. *wave wave wave* SNMP doesn't offer confidentiality, is brittle against concerted attack, runs on UDP which makes spoofing trivial, and is so complex that a large proportion of the SNMP implementations have had problems recently (and they ran fine and were considered good for years). In addition, to manage any firewall you need an app designed specifically for it (to handle all the set requirements) which puts you right back in the specialised app camp, except using probably the worst communications channel anyone could think of - I mean _damn_ I'd rather use telnet than SNMP - at least it's TCP which makes it harder to spoof! I don't think there's any doubt that SNMP is a really bad choice for a communications channel between a management station and a firewall. The fact that something that is essentially an Enterprise manager for completely different products with different needs can have firewall management tacked on somehow doesn't make it a good way to approach what was, after all, a specific problem, viz remote firewall management. I _really_ must go and watch the rest of Senegal v Denmark. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 ___ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls