Tsking up Vilius's workaround suggestion if you implemented a firewall rule actually on your spectrum server and block outbound ICMP traffic that will stop it ever reaching the network.
The point about spectrum using SNMP and Ping. This actually gives it more intelligence and this a major reason for things being implemented the way they are. If you rely on using SNMP only then a non responding SNMP agent, or the accidential misconfiguration of it, will result in a lost contact alarm which isn't necessarily correct. Thiscan mess up availability reports big time. Over the years I have monitored a number of switch models which stop responding to SNMP from time to time and need to be rebooted to rectify this fault. #As you would expect getting a change control to reboot a device isn't always easy and until that happens you are stuck with putting the device into maintenance mode and accruing down time / unmanaged time in your availability reports. If you are using Spectrum Service Manager would be a real. So in short, the fact that Spectrum uses both ICMP and Ping is usually a good thing and gives it an advantage over systems where you are forced to use one or the other. From: Christian Fieres [mailto:c.fie...@mainova.de] Sent: 05 August 2016 10:38 To: spectrum <spectrum@listserv.unc.edu> Subject: Antwort: Re: [spectrum] SPECTRUM without Ping? Vilius, Stephen (and David :-), I'm afraid in terms of server hardening - and this is the point this whole mess started -, just those servers that *cannot* be hardened will thus be put behind a sophisticated application layer firewall and might be allowed to be reachable by ICMP (by means of a firewall rule). The devices that *can* be hardened and thus *not* be put behind this firewall are the ones I am talking about as there (supposedly) has been a decision by management that ICMP will be blocked as a part of the whole security package. I guess it will, as David wrote, be a question of opening the local firewalls to certain ICMP type packets from the SpectroSERVERs or deciding to use a system other than SPECTRUM to do management. Which, of course, means migration needs that no one might be willing to pay for. Nonetheless, I am with Stephen here, it is a very interesting question since for SPECTRUM, Ping and SNMP have always been in a marriage, which might not be very state of the art nowadays. Wonder what CA would say about this... Freundliche Grüße Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de<mailto:c.fie...@mainova.de> Internet http://www.mainova.de<http://www.mainova.de/> Von: Vilius Benetis <vilius.bene...@gmail.com<mailto:vilius.bene...@gmail.com>> An: "spectrum" <spectrum@listserv.unc.edu<mailto:spectrum@listserv.unc.edu>> Kopie: spectrum <spectrum@listserv.unc.edu<mailto:spectrum@listserv.unc.edu>> Datum: 05.08.2016 11:26 Betreff: Re: [spectrum] SPECTRUM without Ping? ________________________________ What about to put a firewall to block icmp from spectrum to restricted devices? -vilius On 05 Aug 2016, at 12:14, Stephen Warne <stephenwa...@karelia-ns.com<mailto:stephenwa...@karelia-ns.com>> wrote: Hi David and Christian I think that Christian's requirement might be that Spectrum never pings devices to keep the security team off his back? I am not aware of any way to prevent spectrum attempting to ping after snmp contact failures but would be very interested if you or others know a way of changing this default behaviour. Regards Stephen. From: David Game [mailto:david.g...@uk.logicalis.com] Sent: 05 August 2016 09:58 To: spectrum <spectrum@listserv.unc.edu<mailto:spectrum@listserv.unc.edu>> Subject: RE: [spectrum] SPECTRUM without Ping? There's an option in discovery to not ping before trying SNMP poll - works OK. We have this policy on a couple of high-security customers and around some of our own environment. With regards to devices already discovered, SNMP polling is always first anyway, so normal operation shouldn't be affected. The only thing is on a "CONTACT LOST TO DEVICE" alarm, the "are you there yet?" pings every 60 seconds or so obviously won't work, so it could be up to one or two poll cycles before the alarm clears. Dave *** ADVANCE NOTICE *** *** I WILL BE ON ANNUAL LEAVE FROM AUGUST 15th THRU AUGUST 19TH INCLUSINVE *** David K. Game Infrastructure Management Systems Consultant Logicalis UK Ltd 110 Buckingham Avenue, Slough, Berkshire, SL1 4PF Logicalis Optimal Network Insight How future-ready is your network? Find out more<http://www.uk.logicalis.com/solutions-and-services/optimal-network-insight/> _________________________________________________________________ From: Christian Fieres [mailto:c.fie...@mainova.de] Sent: 05 August 2016 09:31 To: spectrum <spectrum@listserv.unc.edu<mailto:spectrum@listserv.unc.edu>> Subject: [spectrum] SPECTRUM without Ping? Hi all, rumour has it our security policy leads to all our servers being prevented from answering ICMP echo requests soon. As it so happens, we as network management specialists have never been asked about implications of such a decision. ;-) Hopefully it stays a rumour, but you never know - so I'd like to be prepared. Easy question, although I assume I know the answer: Has anybody ever tried to come up with a (simple) solution to obsolete ICMP in regards to SPECTRUM management? I am not talking about SPM tests to those servers as a replacement, it is mandatory to continue using SNMPv3 for RFC2790 stuff et cetera. Best regards, Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de<mailto:c.fie...@mainova.de> Internet http://www.mainova.de<http://www.mainova.de/> Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung * --To unsubscribe from spectrum, send email to lists...@unc.edu<mailto:lists...@unc.edu>with the body: unsubscribe spectrum david.g...@uk.logicalis.com<mailto:david.g...@uk.logicalis.com> Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com<http://www.symanteccloud.com/> ______________________________________________________________________ This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com<http://www.symanteccloud.com/> ______________________________________________________________________ * --To unsubscribe from spectrum, send email to lists...@unc.edu<mailto:lists...@unc.edu>with the body: unsubscribe spectrum stephenwa...@karelia-ns.com<mailto:stephenwa...@karelia-ns.com> * --To unsubscribe from spectrum, send email to lists...@unc.edu<mailto:lists...@unc.edu>with the body: unsubscribe spectrum vilius.bene...@gmail.com<mailto:vilius.bene...@gmail.com> * --To unsubscribe from spectrum, send email to lists...@unc.edu<mailto:lists...@unc.edu>with the body: unsubscribe spectrum c.fie...@mainova.de<mailto:c.fie...@mainova.de> * Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung * --To unsubscribe from spectrum, send email to lists...@unc.edu<mailto:lists...@unc.edu> with the body: unsubscribe spectrum stephenwa...@karelia-ns.com<mailto:stephenwa...@karelia-ns.com> --- To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum arch...@mail-archive.com
