> -----Original Message----- > From: Shay Hugi [mailto:[EMAIL PROTECTED]] [...] > thread? > um... > "Um, did you _read_ the thread?" > > Hello? i created this thread... Take a good look.
Oh, "Hello?" is it? Well, I _was_ being polite, but... What I was implying is that it's obvious that being able to string together an email message doesn't imply an ability to carefully read and think about the replies to the thread. > (the DDM is > just an example for a GOOD snmp management system via web > environment) Based on what evidence? > Yeah.. I would manage a firewall under SNMP, if > i define a specific internal IP to be the NMS. Some people peirce their genitals, too. Please read about UDP, network sniffing and IP spoofing. > and if you think it's not secured let me give you the URL for > the management server (i'll map a new nat entry, so the > management system will be available for you, from my local > lan). that already HAVE the ability to manage the firewall. > > tell me what flaws you've managed to find. (if You'll ever know the > password) In the first place you're a lunatic for making such an offer, and in the second, why would you expect random people on the 'net to do your security testing for you? There is more to security than passwords, young padawan. > -Shay Hugi > -Mpthrill.com [...] If you think that you can offer some serious evidence for the durability of managing firewalls via SNMP (which, IMNSHO is crazy) then feel free to continue this discussion. As it is all you've done is assert that one particular product, for a specific market, which is designed to manage cable modems, uses SNMP and is "good". This is me waving my index finger in little circles. *wave wave wave* SNMP doesn't offer confidentiality, is brittle against concerted attack, runs on UDP which makes spoofing trivial, and is so complex that a large proportion of the SNMP implementations have had problems recently (and they ran fine and were considered "good" for years). In addition, to manage any firewall you need an app designed specifically for it (to handle all the set requirements) which puts you right back in the "specialised app" camp, except using probably the worst communications channel anyone could think of - I mean _damn_ I'd rather use telnet than SNMP - at least it's TCP which makes it harder to spoof! I don't think there's any doubt that SNMP is a really bad choice for a communications channel between a management station and a firewall. The fact that something that is essentially an Enterprise manager for completely different products with different needs can have firewall management tacked on somehow doesn't make it a good way to approach what was, after all, a specific problem, viz remote firewall management. I _really_ must go and watch the rest of Senegal v Denmark. Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
