No, not frightened. But justifiably concerned. I don't leave my
credit card statements on my car's dashboard, either.
What benefit do I receive from allowing SNMP through my borders? On
the other hand, there's nothing in SNMP to stop anyone from launching
a brut-force attack on my community strings. So, if I allow SNMP in
and out, and if someone is really interested, it would be only a
matter of hours before the community strings were cracked and my
entire network was vulnerable to the intruder.
As far as permitting "trusted users" access via the Internet, I don't
buy it. You need a management console (a la HP OpenView Network Node
Manager or CA Unicenter) to make effective use of SNMP for management
purposes. Otherwise, you're just dumping SNMP tables for selected
devices to see what's going on in response to a problem, or setting
a specific variable. You're not managing, your troubleshooting. This
could just as readily be handled via SSH or HTTPS (depending on the
device). For the most part, you're not going to want external users
set as SNMP trap destinations or poll your infrastructure from
external SNMP managers. Depending on the size of your environment,
that's a lot of data to shuffle across relatively slow links.
I'm familiar with OV-NNM, and I know that you have two secure
mechanisms to access the NNM console remotely without exposing SNMP
traffic to the Internet:
HTTPS - The OpenView Management "Server" can provide a web browser
interface to most functions using HTTPS and requiring user
authentication
Share - Remote OV Management "Stations" can access the "Server"
using standard SMB or NFS shares, which can be secured via
VPN. Since all the SNMP traffic goes to the "Server"
(not really a server, but the main management console),
only map data, alerts and user interaction goes across the
Internet via VPN.
So, in principal I agree that having remote capabilities to manage
and troubleshoot your environment is helpful, this can be done
more efficiently through methods that don't expose management data
on insecure network links.
> -----Original Message-----
> From: Pradeep Kumar [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, December 08, 2001 9:12 PM
> To: Mark Medici; Christopher Vittek; [EMAIL PROTECTED]
> Subject: RE: SNMP security
>
> Mark - are you frightened :-). SNMP v3 will address the fears
> of such users
> who dont "I would never allow SNMP in from or out to the Internet."
>
> I look at this as an advantage - I can have my trusted users
> on the internet
> manage the network devices 24 X 7 from a geographically
> spread location.
>
> Serious abt V3.
> Pradeep
>
>
> -----Original Message-----
> From: Mark Medici [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, November 27, 2001 9:07 AM
> To: Christopher Vittek; [EMAIL PROTECTED]
> Subject: RE: SNMP security
>
>
> Why in the world would you let SMTP through your firewall regardless?
> Unless it's the interior border of your DMZ allowing SNMP
> from specific
> hosts on the fully-protected internal networks to specific
> hosts inside
> the DMZ and back again.
>
> I would never allow SNMP in from or out to the Internet.
>
> Just my 2 cents.
>
>
