Hi Just to add my two cents to this talk (even though I probably should not :)...I understand both sides of this talk, one hand we've got Cisco (kinda the new MS in some eyes) and on the other hand we've got DIY security. I like with DIY the fact that you've got total control to build the security device on whatever OS and using whatever features are needed for that particular client/network...but you have to remember that it is MUCH more difficult to manage this and much harder (if your clients have any security knowledge) to prove to them that this is a secure solution due to the fact that it is built upon an OS which is publicly available and has known inherent weaknesses and holes (I'm not talking BSD specific, but all OS have holes/vulnerabilities). But with the pix, sure you have to deal with Cisco and you don't have the penultimate in functionality (will not route a packet back out the same interface on which it was received :(, but you've got a 'secure' hardened OS which is so stripped down and tested that there really are not a whole lot of inherent security holes/vulnerabilities due to the fact that it is a closed operating system (security through obscurity) (FinesseOS which is built upon what was an open system and tested as an open system)....um, I've got to cut this short and run...just my two cents...Thanks
-----Original Message----- From: James [mailto:[EMAIL PROTECTED] Sent: Saturday, May 15, 2004 1:02 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [jffnms-users] Cisco PIX firewall save configs? lindsay wrote: > Well, I'm not really interested in getting into an argument, I see > where you're coming from, however, it was explained to me (on a PIX > firwall course that I did late last year) that Cisco will only support > Read Only communities, not Read Write purely for added security. That's my point, I never mentioned or cared about writing, via snmp to a cisco or any other device. If you really require that functionality, you put an ether-to-serial protocol translator device on the serial(console) port of the device, and have your 'remote writes' via any protocol/security semantic you want. It fact this is thousands of times easier and more secure than using something that is vendor supplied and used my millions of folks. If you want to see on, look at ntop and their neat little 'nbox' device. I've been do that little trick for over a decade now, and my custom little hack boxes are the only thing I have to worry about, and I can use them on hundreds of different serial ports. If you really want to make it cool, set it up as a bridged_firewall, like what you can do with PF(packet filter) on OpenBSD. I never mentioned or care about the lack of snmp writes in a PIX. Personally, I never deploy cisco pix, as my customers need real, unique security, that I build on openBSD. I was pointing out the falicy is stating that well, you use SNMP, it's hacked and has security holes. SECURE your deployment, and you can use SNMP 1 quite robustly encapsulated in a secure data channel. You can purchase/use all of the proposed secure stuff in the world, and if it not properly(securely) implemented, then a "quote secure" environment is not really secure. SNMP get's blamed alot for problems, mostly because MS admins get frustrated with MS and try to apply technolgy in a MS environment, that is not complete. I know unix admins that do the same thing, but, they are usually willing to learn. MS_idiots just bad_mouth things that do not work as they envisioned. > > Yeah sure, you can change the config via ssh session (using the > virtual > terminal) and via https (using the PIX Device Manager) which supports > your view that SSL connections are secure. > Yes there are many scenarios to write to a remote device. > > Don't get me wrong, I love Cisco products, I do not like cisco. I use cisco where customer require cisco. but like everything else, > Cisco has declared it's vulnerabilties (and had to defer some IOS > releases accordingly), Um, you might want to rethink statements like this.....or gain some diversified experience, as hackers routinely 'pop the cherry' on cisco white_lies...... They are almost as bad as MS now..... but unlike some product lines, this is a very > rare occurance, I only recall a small handful of occurances (about 5 > or 6), but a lot of these vulnerabilities that Cisco found are with > SNMP, in fact half of the announced vulnerabilities I recall are SNMP > vulnerabilities (about 3). Again, SNMP has never been the problem. SNMP 1 and 2 never were designed to be secure. SNMP 1 and 2 can be used securely, by admins that know how to build and run secure networks. > > At the end of the day, the Cisco PIX only supports Read Only SNMP Again, not a issue for me, not now, never. AS you point out that are lots of way to get around this semantic. > communities on their PIX firewall at the moment, I thought that made > sense considering that it's likely this firewall appliance would be > protecting a large organisation, maybe even a bank or a financial > institution were security is paramount. > > We could get into a lengthy discussion on securing SNMP devices, such > as how access lists should be built, what passwords should set (ie. Do > not use 'private' or 'public'), and what version of SNMP should be > used, but I would take that off list first. I'm sure most of the SNMP > vulnerabilities have been successfully exploited because of > configuration weaknesses, not the other way round. > > Hey, if you have a problem with the PIX not supporting Read Write SNMP > communities using SNMPv3, why don't you take it up with Cisco ? Personally, my clients and others require greater security that a cisco pix. When you use a cisco PIX you are only promoting Cisco. When you take a computer, and build a unique firewall or IDS, then you are distinguishing yourself as a security expert.... It's your future..... James > > -----Original Message----- > From: James [mailto:[EMAIL PROTECTED] > Sent: Friday, 14 May 2004 16:20 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [jffnms-users] Cisco PIX firewall save configs? > > > http://advocacy.postgresql.org/Lindsay > Druett wrote: > >>Sorry Javier, I might as well jump in here... >> >> >>Basically the Cisco PIX only supports Read Only SNMP communities. >> >>They don't support Read Write for a very good reason, and that is so >>that there is no way someone can change the configuration on a PIX >>using SNMP as SNMP fundamentally does have a few security flaws. >> > > OH YEA sure, > > Cisco tells me there security, including > snmp(2) over sshd is inpenetrable? > > As an old OpenBSD biggot, I find it hard > to believe(cisco) but, you have not > provided any evidence that cisco's snmp3 > over sshd(the latest patched versions) > has security holes. > > Show me da money.....? > > > James > > > ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ jffnms-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jffnms-users ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ jffnms-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jffnms-users
