On 1999.07.20, Firewalls-Digest <[EMAIL PROTECTED]> wrote:
> Date: Mon, 19 Jul 1999 16:12:25 -0300 (EST)
> From: "Alexandre B. Kieling" <[EMAIL PROTECTED]>
> Subject: SNMP
>
> Hi all.
>
> I am doing a research about Firewall Management using SNMP. If you have
> any material about it, please, send it to me.
> Have anyone tried to implement a firewall mib? There is a draft at:
> http://search.ietf.org/internet-drafts/draft-grall-firewall-mib-01.txt
> If anyone has the same interest, call me.
>
> Thanks.
Alexandre,
Doesn't the notion of a SNMP-managed firewall sound absolutely
ridiculous to you? Especially SNMPv1 which lacks authentication[1]
and all exchanges are in the clear; SNMPv2 offers some sort of
security and authentication but requires much more complexity
on the SNMP server end (thus, no longer a "simple" NMP, IMHO).
SNMPv3 which is just on the horizon (still an RFC draft) may
provide some help here in terms of a SNMP-managed firewall,
but I wouldn't hold my breath.
If you're only interested in using SNMP for implementing a
MIB which is crafted for a read-only community, it might be
interesting. I would be *extremely* careful in deciding what
object identifiers get to exist in that FW MIB, though, as
revealing any information to a would-be hacker is silly if
it doesn't *need* to be exposed.
An interesting question can be raised though -- how useful would
SNMP traps be for a firewall machine to emit? This might actually
be a neat feature depending on what traps are defined.
-Dossy
[1] Anyone who thinks "community strings" are authentication
shouldn't be managing a firewall, IMO. :-)
--
Edward T. Shiobara voice: +1 201 236-6650
Unix Systems Administrator fax: +1 201 236-3530
Pearson Education, Systems & Technology mail: [EMAIL PROTECTED]
1 Lake St., Upper Saddle River, NJ 07458 web: http://www.prenhall.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
