True, That is what management logs are for.
GTA should consider adding a feature that explicitly tracks changes to the firewall environment with who/when/where implemented. By where, I mean - was it from a remote console, an actual console, telnet via address, etc... This prevents possible finger pointing. Danny H. Cox Yield Dynamics, Inc. (408) 764-9822 -----Original Message----- From: Mike Burden [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:04 PM To: [EMAIL PROTECTED] Subject: RE: [gb-users] SNMP Management FWIW, features like that have a way of getting accidentally enabled, especially when you have a Customer that won't leave your config alone, but doesn't have a really tight grasp of why things were configured the way I put them. Occasionally I'll find that the firewall at one of my Customer's sites has the Web Interface enabled, despite the fact that I've explained to the Customer why this is a bad thing. The answer is always along the lines of, "but I wanted to administer the firewall from my own desk but I was too lazy to install GBAdmin". Unfortunately, I can't lock the Customer out of their own firewall. Besides the obvious fact that they own the firewall, this Customer has a "default closed" outbound policy, and if I don't want to spend my whole life jumping every time some manager wants to add a website to the "acceptable" list, then someone has to manage it onsite. I fear that SNMP would be just another thing for the Customer to enable, and then blame me when the firewall got compromised. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Cox, Danny H. [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 2:23 PM > To: Mike Burden; [EMAIL PROTECTED] > Subject: RE: [gb-users] SNMP Management > > > Mike, > > I understand your point. > > For the most case I ages. > > However, I believe this could be a good feature to provide - IF IT CAN > BE DISABLED. > > This would allow someone to have 2 firewalls (same brand and general > configuration) back to back. The front firewall without SNMP, > the second > with. Then we get the best of both worlds. > > Yes, it means extra cost and implementation. > > The ROI (Return On Investment) comes with being able to monitor > performance and determine when issues may arise "in advance". > > Danny H. Cox > Yield Dynamics, Inc. > (408) 764-9822 > > -----Original Message----- > From: Mike Burden [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 11:01 AM > To: [EMAIL PROTECTED] > Subject: RE: [gb-users] SNMP Management > > Part of what makes GNAT Box such an excellent firewall is that it > doesn't install on top of an OS that's trying to provide services > that the filters are trying to deny. This gives you two layers > of security for the firewall itself -- even if you get past the > filters, there's nothing that wants to talk to you. > > It's this "don't put all your eggs in one basket" approach to > security that makes GNAT Box a very tough firewall. > > IMHO, security is job #1 for the firewall. Things like traffic > monitoring are best not done at all if they can't be done without > (even a small!) compromise in security. > > To me, it seems that this is along the same lines as wanting to > tunnel NETBIOS from the PSN to the PRO. Yes, it's the easiest > way to allow your webserver to authenticate with your domain > controller, but then nobody ever said that good security was > easy. > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > -----Original Message----- > > From: Cox, Danny H. [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 1:49 PM > > To: Frank Zastawnik; [EMAIL PROTECTED] > > Subject: RE: [gb-users] SNMP Management > > > > > > Then again, > > > > You could always provide filters to allow ONLY specific > systems on the > > protected network to access those port: 161,162, 391, 1993, > > 1994, 2697, > > 3427, 7845, 7846, 8161 (most common ones used) and any that Gnatbox > > might use. I would further add filters to specifically deny > everything > > else to those ports. > > > > For a full list of port addresses goto: > > http://www.iana.org/assignments/port-numbers > > > > I believe this would prevent all unauthorized users from > accessing the > > device - providing SNMP was properly implemented. This may however > > conflict with some methodologies used to setup a global monitoring > > solution. > > > > Just a thought. > > > > Danny H. Cox > > Yield Dynamics, Inc. > > (408) 764-9822 > > > > -----Original Message----- > > From: Frank Zastawnik [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 10:32 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [gb-users] SNMP Management > > > > Just in case you were unaware, SNMP v1 community strings are sent in > > plain > > text. They aren't really passwords though most people look > at them as > > though there were. > > > > Having SNMP available on any device can be a security risk, but then > > again > > any service that let's you connect to it could be as well. > With SNMP > > you > > have a wider hole than with some other services. > > > > If GnatBox was running SNMP v2 and you only allowed trusted > > connections > > to > > the private side interface you could help cut down the risk, > > though you > > could not eliminate it. > > > > You might also want to consider changing the default > read-write sting > > from > > private to something else. Readonly is bad, you can give > > away a lot of > > info, but it is nothing compared to the default private read-write > > string. > > > > Just my take on it. > > > > > > -----Original Message----- > > From: Woloss, Rick (INV-EDH) [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 1:17 PM > > To: 'Mike Burden'; [EMAIL PROTECTED] > > Subject: RE: [gb-users] SNMP Management > > > > > > Thats what community strings are for. If someone is'nt smart > > enough to > > change the default Read-Only from public, then thats their problem. > > > > Rick Woloss > > Network Engineer > > |D|S|T| INNOVIS TM > > connecting people through technology > > work (916) 941-4262 > > mobile (916) 296-7465 > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Mike Burden [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 10:16 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [gb-users] SNMP Management > > > > > > Why bother to have a firewall if it's not going to be > > as secure as you can make it? > > > > Mike Burden > > Lynk Systems > > http://www.lynk.com > > (616)532-4985 > > [EMAIL PROTECTED] > > > > > > > -----Original Message----- > > > From: Woloss, Rick (INV-EDH) [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, May 22, 2002 1:14 PM > > > To: Mike Burden; [EMAIL PROTECTED] > > > Subject: RE: [gb-users] SNMP Management > > > > > > > > > No Joke pal. > > > > > > Rick Woloss > > > Network Engineer > > > |D|S|T| INNOVIS TM > > > connecting people through technology > > > work (916) 941-4262 > > > mobile (916) 296-7465 > > > [EMAIL PROTECTED] > > > > > > > > > -----Original Message----- > > > From: Mike Burden [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, May 22, 2002 10:12 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [gb-users] SNMP Management > > > > > > > > > SNMP on the firewall? Please tell me that you're joking! > > > > > > Mike Burden > > > Lynk Systems > > > http://www.lynk.com > > > (616)532-4985 > > > [EMAIL PROTECTED] > > > > > > > > > > -----Original Message----- > > > > From: Woloss, Rick (INV-EDH) [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, May 21, 2002 6:25 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [gb-users] SNMP Management > > > > > > > > > > > > > > > > > > > > > > > > Ver3.1.3 GB1000 > > > > Is anyone able to SNMP monitor this appliance. Is their a > > > > configurable > > > > community string. > > > > > > > > Thanks in advance > > > > Rick Woloss > > > > Network Engineer > > > > |D|S|T| INNOVIS TM > > > > connecting people through technology > > > > work (916) 941-4262 > > > > mobile (916) 296-7465 > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > Notice: This e-mail and any attachments are intended > > only for the > > > > individual or company to which it is addressed and may contain > > > > information which is privileged, confidential and > prohibited from > > > > disclosure or unauthorized use under applicable law. If > > you are not > > > > > > the intended recipient of this e-mail, you are hereby > > notified that > > > > any use, dissemination, or copying of this e-mail or the > > information > > > > contained in > > > > this e-mail is strictly prohibited by the sender. If you > > > > have received this > > > > transmission in error, please return the material received to > > > > the sender and > > > > delete all copies from your system. Thank you. > > > > > > > > > > > > Notice: This e-mail and any attachments are intended > > only for the > > > > individual or company to which it is addressed and may contain > > > > information which is privileged, confidential and > prohibited from > > > > disclosure or unauthorized use under applicable law. If > > you are not > > > > > > the intended recipient of this e-mail, you are hereby > > notified that > > > > any use, dissemination, or copying of this e-mail or the > > information > > > > contained in > > > > this e-mail is strictly prohibited by the sender. If you > > > > have received this > > > > transmission in error, please return the material received to > > > > the sender and > > > > delete all copies from your system. Thank you. > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > To subscribe to the digest version first unsubscribe, then > > > > e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of > > > > the last 1000 messages: > > > > http://www.mail-archive.com/[email protected] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > To subscribe to the digest version first unsubscribe, then > > > e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the > > > last 1000 messages: http://www.mail-archive.com/[email protected] > > > > > > > > > Notice: This e-mail and any attachments are intended > only for the > > > individual or company to which it is addressed and may contain > > > information which is privileged, confidential and prohibited from > > > disclosure or unauthorized use under applicable law. If > > you are not > > > the intended recipient of this e-mail, you are hereby > notified that > > > any use, dissemination, or copying of this e-mail or the > information > > > contained in > > > this e-mail is strictly prohibited by the sender. If you > > > have received this > > > transmission in error, please return the material received to > > > the sender and > > > delete all copies from your system. Thank you. > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the last 1000 messages: > > http://www.mail-archive.com/[email protected] > > > > > > Notice: This e-mail and any attachments are intended only for the > > individual or company to which it is addressed and may contain > > information > > which is privileged, confidential and prohibited from disclosure or > > unauthorized use under applicable law. If you are not the intended > > recipient of this e-mail, you are hereby notified that any use, > > dissemination, or copying of this e-mail or the information > > contained in > > this e-mail is strictly prohibited by the sender. If you > > have received > > this > > transmission in error, please return the material received to > > the sender > > and > > delete all copies from your system. Thank you. > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the last 1000 messages: > > http://www.mail-archive.com/[email protected] > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the last 1000 messages: > > http://www.mail-archive.com/[email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archive of the last 1000 messages: > > http://www.mail-archive.com/[email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
