That is completely true. I probably should have went on and mentioned a firewall that did. I was technically refering to CheckPoint's set up in this case. It would be good for more firewalls to become application/data/packet complient and to be able to do more on an application level.
chris -----Original Message----- From: Robert D. Hughes [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 4:37 PM To: Christopher Vittek; JC; [EMAIL PROTECTED] Subject: RE: SNMP security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 True, but only if you're running a firewall that supports a SNMP proxy, and that proxy supports filtering of commands. If your firewall is of the packet filter variety or the proxy is just a circuit level proxy, you won't be able to do that. Let's hope more vendors start supporting SNMP V3 soon, and that they actually implement it in a way that works and is at least fairly uniform. Rob - -----Original Message----- From: Christopher Vittek [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 1:09 PM To: Robert D. Hughes; JC; [EMAIL PROTECTED] Subject: RE: SNMP security I dont if this would tie in. If you have a firewall you can secure SNMP a little more by allowing the firewall to do Application Level securing and allow SNMP gets while disallowing sets. This might help in securing SNMP a little more. Chris - -----Original Message----- From: Robert D. Hughes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 13, 2001 11:00 PM To: JC; [EMAIL PROTECTED] Subject: RE: SNMP security - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This was just posted to the list Monday, but I'll go ahead and repeat it and see if the moderator passes it. As far as SNMP, use a long string of mixed alpha-numeric characters for your community string and set explicit rules to only allow it to the required devices along with the associated replies in addition to traps from any required devices. SNMP, other than V3, does not support encryption or authentication, and most devices and management applications do not support SNMP V3. A few do, such as OpenNMS or Openview Network Node Manager with the SNMP Research security pack. However, devices have only very recently started to support SNMP V3, such as Cisco in a recent IOS release, NET-SNMP, and a few others. Also, for monitoring purposes, all community strings should be set to RO. If sets (RW) are required, limit it to internal devices and set the allowed managers to a single internal source. Rob - - -----Original Message----- From: JC [mailto:[EMAIL PROTECTED]] Sent: Monday, November 12, 2001 3:07 PM To: [EMAIL PROTECTED] Subject: SNMP security Hi Folks, SNMP security has been stated as one of the biggest security holes in companies networks today. I would like to ask all of the gurus out there what are you doing in your organization to secure SNMP. If you had a network where you were given complete control and you didn't have to accomidate anyone what would you do to secure SNMP? JC __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com - -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA+AwUBO/HsTua2P6TrxG1EEQKDHwCbBNFiporBIvnVwMOkgzSENSB+JToAljES Pm1V0FcyvToJN+Ptc3CQAhI= =VNKh - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO/Q1fea2P6TrxG1EEQIz8QCdHFdvP3GcfQz3E/3PYFzGS8ZHrRsAnRn2 +GzqsxUyZG0ffxl3vb2oSSh9 =gkEA -----END PGP SIGNATURE-----
