This is not dngerous - I do not expect any idiot, opening SNMP from outside (SNMP is excellent protocol, which can crash ANY device in the world; I crashed 6509 switch and PIX firewall in a few days, when debugged new 'snmpstat' system). And moreover, Cisco allows o lock IP and file name for SNMP/TFTP.
On the other hand, using 'expect' is not difficult and is much more flexible. Most problems are with PIX-es with their paranoya, which cause a nececity to know enable password for any simple action... I'll send my old expect script here tomorrow, if someone want (it is not big). New script uses cryptography to remember a passwords, so it became more secure, but idea is the same... ----- Original Message ----- From: "Christopher L. Morrow" <[EMAIL PROTECTED]> To: "Scott McGrath" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 25, 2003 1:51 PM Subject: RE: [Activity logging & archiving tool] > > > > On Tue, 25 Nov 2003, Scott McGrath wrote: > > > > > > > CiscoWorks also polls the devices for configuration changes and generates > > a diff if you so desire. If you have set up AAA you will have an audit > > log of when changes were applied and who applied them. > > > > Scott C. McGrath > > I'm fairly certain that the tacacs standard implementations available on > the cisco routers log out changes to the config made by users... That and > a little log parsing magic and you have this data also. Be cautious that > some of the EMS systems will grab configs through snmp WRITE initiated > tftp writes, this could be dangerous if your routers are publicly > accessible :) > > -Chris
