First, you wouldn't have to allow traps to pass through the firewall
if you want to use them from the firewall.
The primary problem with traps is denial of service. Generally,
some process on your management system is going to do something
when it sees a trap...even if its just logging it. So even if
you don't pass traps through the firewall, an enterprising
person may figure out what causes your firewall to send traps
to your management station and exercise the sequence.
Denial of service by UDP flooding the SNMP trap port or the
SNMP logging process is probably the least of your worries.
If the management station takes "positive" action based on
a trap, the possibilities for mischief are endless. You could
endlessly page sysadmins. You could fire off intrusion detection
procedures. Set off alarm bells. It really depends on how
you use the snmp traps.
Gary Flynn
Technical Services
James Madison University
"Palmer, L. Guy" wrote:
>
> I am concerned that allowing SNMP traps to pass from or through a FW, into a
> console on an enterprise network, is opening up the assets which the FW is
> protecting to exploits from the outside world.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
