Agreed. SNMP for firewall management is weak. but not for the NetGAP, and Adminiweb. it used to show stats, graphs, analaysis. change a few definitions, (interfaces management) that's it.
it's not SpearHead's app to set the policy at all! it's just an addon. Thanks for all the help ben. p.s Denmark & Senegal - 1:1 by now... -Shay Hugi -Mpthrill.com ----- Original Message ----- From: "Ben Nagy" <[EMAIL PROTECTED]> To: "'Shay Hugi'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 06, 2002 9:55 AM Subject: RE: SNMP firewall management > > -----Original Message----- > > From: Shay Hugi [mailto:[EMAIL PROTECTED]] > [...] > > thread? > > um... > > "Um, did you _read_ the thread?" > > > > Hello? i created this thread... Take a good look. > > Oh, "Hello?" is it? Well, I _was_ being polite, but... > > What I was implying is that it's obvious that being able to string > together an email message doesn't imply an ability to carefully read and > think about the replies to the thread. > > > (the DDM is > > just an example for a GOOD snmp management system via web > > environment) > > Based on what evidence? > > > Yeah.. I would manage a firewall under SNMP, if > > i define a specific internal IP to be the NMS. > > Some people peirce their genitals, too. Please read about UDP, network > sniffing and IP spoofing. > > > and if you think it's not secured let me give you the URL for > > the management server (i'll map a new nat entry, so the > > management system will be available for you, from my local > > lan). that already HAVE the ability to manage the firewall. > > > > tell me what flaws you've managed to find. (if You'll ever know the > > password) > > In the first place you're a lunatic for making such an offer, and in the > second, why would you expect random people on the 'net to do your > security testing for you? There is more to security than passwords, > young padawan. > > > -Shay Hugi > > -Mpthrill.com > [...] > > If you think that you can offer some serious evidence for the durability > of managing firewalls via SNMP (which, IMNSHO is crazy) then feel free > to continue this discussion. As it is all you've done is assert that one > particular product, for a specific market, which is designed to manage > cable modems, uses SNMP and is "good". This is me waving my index finger > in little circles. *wave wave wave* > > SNMP doesn't offer confidentiality, is brittle against concerted attack, > runs on UDP which makes spoofing trivial, and is so complex that a large > proportion of the SNMP implementations have had problems recently (and > they ran fine and were considered "good" for years). In addition, to > manage any firewall you need an app designed specifically for it (to > handle all the set requirements) which puts you right back in the > "specialised app" camp, except using probably the worst communications > channel anyone could think of - I mean _damn_ I'd rather use telnet than > SNMP - at least it's TCP which makes it harder to spoof! > > I don't think there's any doubt that SNMP is a really bad choice for a > communications channel between a management station and a firewall. The > fact that something that is essentially an Enterprise manager for > completely different products with different needs can have firewall > management tacked on somehow doesn't make it a good way to approach what > was, after all, a specific problem, viz remote firewall management. > > I _really_ must go and watch the rest of Senegal v Denmark. > > Cheers, > > -- > Ben Nagy > Network Security Specialist > Mb: TBA PGP Key ID: 0x1A86E304 > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
