Roger Marquis wrote:
>
> Skough Axel U/IT-S <[EMAIL PROTECTED]> wrote:
> >SNMP is completely unacceptable as firewall monitoring tool
>
> There really is no better protocol for monitoring firewalls and other
> network devices than SNMP. That doesn't mean you enable write access,
> or that you leave read-access enabled globally.
IMHO, this all depends on what you mean by SNMP. If you're talking
about enabling SNMP read-only to get statistics out of a firewall
with a well-built SNMP package? Sure, why not. Properly restricted,
it shouldn't be much of a problem in 19 out of 20 installations.
On the other hand, there are the cases where we just use someone's
huge do-everything-over-SNMP-with-a-50-megabyte-mib. I wouldn't
want to run an SNMP service like that on a firewall. There's
been way too many occurences of being able to see the write
community string by using the read community string, enumerating
users in the operating system, etc etc. For instance, I would NOT
enable the windows NT SNMP agent on a firewall running on top
of NT. (I wouldn't run a firewall on NT in the first place, but
let's not start that war again :)
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
