Hi Stephen, I wouldn't want to implement such a huge change in behaviour myself too ;-) As we have learned, there is this "support_ICMP" attribute that prevents, if set to false, Pings to the device. IMHO, all that's left to do is make this attribute available to the new model by ip/name dialog boxes. Shouldn't be too hard for CA!
Freundliche Grüße Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de Internet http://www.mainova.de Von: Stephen Warne <stephenwa...@karelia-ns.com> An: "spectrum" <spectrum@listserv.unc.edu> Datum: 08.08.2016 15:28 Betreff: RE: Antwort: Re: Antwort: RE: Antwort: Re: [spectrum] SPECTRUM without Ping? Hi Christian 1. Your security people don?t want icmp on the network ? box ticked. 2. You can?t stipulate SNMP only on Spectrum so the functionality of receiving ?management agent lost? wouldn?t be available to you anyway. So the fact that Spectrum doesn?t get a response to ping when SNMP polling fails will mean that a contact lost will be generated as the attempt to ping will not get a response? which if you think about it correct. The only issue I can think off is if this would drive Spectrum nuts if it uses ping at any other another time other than in an SNMP lost contact situation. Obviously Ping only models would be a no-no ;-) as would having any SPM ICMP tests, but I?m not sure if ICMP would be used at any other time during normal operation or at startup (haven?t sniffed it to find out). I should add that this point that if you do choose to implement this workaround it is entirely at your own risk and like any customisation should be thoroughly tested in your lab environment first. I personally would not implement this to be honest, it?s just an idea in case you are stuck between the proverbial rock and a hard place J I will go and vote up your idea as having the functionality built in and supported is the way to go. Regards Stephen. From: Christian Fieres [mailto:c.fie...@mainova.de] Sent: 08 August 2016 12:26 To: spectrum <spectrum@listserv.unc.edu> Subject: Antwort: Re: Antwort: RE: Antwort: Re: [spectrum] SPECTRUM without Ping? Stephen, okay, I get it. Though I don't think preventing the ICMP packets from leaving the server will do it, because in that case SPECTRUM won't get replies either and will alarm the device. Or am I getting something wrong here? ;-) I have created an idea document in the Infrastructure Management community on ca.com: https://communities.ca.com/ideas/235732324 Even if our management decides to drop the plans or not to implement them in the first place - we are still talking rumours here! -, I understand that I am not the only one interested in such a feature. Freundliche Grüße Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de Internet http://www.mainova.de Von: Stephen Warne <stephenwa...@karelia-ns.com> An: "spectrum" <spectrum@listserv.unc.edu> Kopie: spectrum <spectrum@listserv.unc.edu> Datum: 05.08.2016 18:14 Betreff: Re: Antwort: RE: Antwort: Re: [spectrum] SPECTRUM without Ping? Hi Christian Sorry, what I meant was to take Vilius's suggestion and take it to the next level by stopping the icmp packets even getting off the server by utilising the server's firewall :-) I think this could be a quick and dirty workaround for your situation? I totally agree with everything you say and IMHO the ability to choose to 'dumb down' Spectrum by being able to choose to use SNMP only would be a good enhancement request which I for one would vote up on the community. In fact thinking about this it would be preferable to have that option per LAN container / subnet / IP address so that a hybrid approach could be used so that for devices where ping is ok you wouldn't lose functionality. CA need to be aware that other vendors could use this issue to beat them up when selling to security conscious customers! Therefore it is in their commercial as well as technical interest to provide this choice. Regards Stephen. Sent from my iPhone On 5 Aug 2016, at 12:13, Christian Fieres <c.fie...@mainova.de> wrote: Stephen, I guess I misunderstood Vilius' suggestion - and I believe he meant it just like I understood, that is put a firewall between the servers and SPECTRUM that blocks ICMP traffic from all stations EXCEPT SPECTRUM. ;-) I am totally with you - especially in rather unstable environments, the slightest change in latency and bandwidth availability can screw your SNMP communication and there you go. Ping and SNMP are the perfect couple - EXCEPT in cases you just cannot use one of them. Let's be honest, you have your Pingable devices, so why not have your SNMP only devices - as a CHOICE? I am absolutely no friend of global restrictions, and I don't want to be misunderstood in that matter: My intention would be to just disable Ping necessity on certain devices. In fact , we do have a use case right now; we have a server (rather an appliance when it comes to limited administration) which simply cannot be configured to reply to ICMP packets. What we did is build a Correlation domain that fires an alarm as soon as two TCP tests on port 443 from two different IP-SLA test routers time out. This not only says the server is not reachable but merely points to an actual problem with its HTTPS server. What we cannot do is manage the process that serves port 443 although the box answers to SNMP packets. *sigh* It could all be so easy. Frankly, I am a little afraid that eventually this might be escalating and someone (with a higher income than mine) comes up with the idea that an Icinga or something might be an alternative to SPECTRUM and forces me to do a quick and dirty migration that destroys all the good work we have done over the years. Guess I'll have to double check the policies around here and proactively place an enhancement request with CA... Freundliche Grüße Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de Internet http://www.mainova.de Von: Stephen Warne <stephenwa...@karelia-ns.com> An: "spectrum" <spectrum@listserv.unc.edu> Datum: 05.08.2016 12:53 Betreff: RE: Antwort: Re: [spectrum] SPECTRUM without Ping? Tsking up Vilius?s workaround suggestion if you implemented a firewall rule actually on your spectrum server and block outbound ICMP traffic that will stop it ever reaching the network. The point about spectrum using SNMP and Ping. This actually gives it more intelligence and this a major reason for things being implemented the way they are. If you rely on using SNMP only then a non responding SNMP agent, or the accidential misconfiguration of it, will result in a lost contact alarm which isn?t necessarily correct. Thiscan mess up availability reports big time. Over the years I have monitored a number of switch models which stop responding to SNMP from time to time and need to be rebooted to rectify this fault. #As you would expect getting a change control to reboot a device isn?t always easy and until that happens you are stuck with putting the device into maintenance mode and accruing down time / unmanaged time in your availability reports. If you are using Spectrum Service Manager would be a real. So in short, the fact that Spectrum uses both ICMP and Ping is usually a good thing and gives it an advantage over systems where you are forced to use one or the other. From: Christian Fieres [mailto:c.fie...@mainova.de] Sent: 05 August 2016 10:38 To: spectrum <spectrum@listserv.unc.edu> Subject: Antwort: Re: [spectrum] SPECTRUM without Ping? Vilius, Stephen (and David :-), I'm afraid in terms of server hardening - and this is the point this whole mess started -, just those servers that *cannot* be hardened will thus be put behind a sophisticated application layer firewall and might be allowed to be reachable by ICMP (by means of a firewall rule). The devices that *can* be hardened and thus *not* be put behind this firewall are the ones I am talking about as there (supposedly) has been a decision by management that ICMP will be blocked as a part of the whole security package. I guess it will, as David wrote, be a question of opening the local firewalls to certain ICMP type packets from the SpectroSERVERs or deciding to use a system other than SPECTRUM to do management. Which, of course, means migration needs that no one might be willing to pay for. Nonetheless, I am with Stephen here, it is a very interesting question since for SPECTRUM, Ping and SNMP have always been in a marriage, which might not be very state of the art nowadays. Wonder what CA would say about this... Freundliche Grüße Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de Internet http://www.mainova.de Von: Vilius Benetis <vilius.bene...@gmail.com> An: "spectrum" <spectrum@listserv.unc.edu> Kopie: spectrum <spectrum@listserv.unc.edu> Datum: 05.08.2016 11:26 Betreff: Re: [spectrum] SPECTRUM without Ping? What about to put a firewall to block icmp from spectrum to restricted devices? -vilius On 05 Aug 2016, at 12:14, Stephen Warne <stephenwa...@karelia-ns.com> wrote: Hi David and Christian I think that Christian?s requirement might be that Spectrum never pings devices to keep the security team off his back? I am not aware of any way to prevent spectrum attempting to ping after snmp contact failures but would be very interested if you or others know a way of changing this default behaviour. Regards Stephen. From: David Game [mailto:david.g...@uk.logicalis.com] Sent: 05 August 2016 09:58 To: spectrum <spectrum@listserv.unc.edu> Subject: RE: [spectrum] SPECTRUM without Ping? There?s an option in discovery to not ping before trying SNMP poll ? works OK. We have this policy on a couple of high-security customers and around some of our own environment. With regards to devices already discovered, SNMP polling is always first anyway, so normal operation shouldn?t be affected. The only thing is on a ?CONTACT LOST TO DEVICE? alarm, the ?are you there yet?? pings every 60 seconds or so obviously won?t work, so it could be up to one or two poll cycles before the alarm clears. Dave *** ADVANCE NOTICE *** *** I WILL BE ON ANNUAL LEAVE FROM AUGUST 15th THRU AUGUST 19TH INCLUSINVE *** David K. Game Infrastructure Management Systems Consultant Logicalis UK Ltd 110 Buckingham Avenue, Slough, Berkshire, SL1 4PF Logicalis Optimal Network Insight How future-ready is your network? Find out more _________________________________________________________________ From: Christian Fieres [mailto:c.fie...@mainova.de] Sent: 05 August 2016 09:31 To: spectrum <spectrum@listserv.unc.edu> Subject: [spectrum] SPECTRUM without Ping? Hi all, rumour has it our security policy leads to all our servers being prevented from answering ICMP echo requests soon. As it so happens, we as network management specialists have never been asked about implications of such a decision. ;-) Hopefully it stays a rumour, but you never know - so I'd like to be prepared. Easy question, although I assume I know the answer: Has anybody ever tried to come up with a (simple) solution to obsolete ICMP in regards to SPECTRUM management? I am not talking about SPM tests to those servers as a replacement, it is mandatory to continue using SNMPv3 for RFC2790 stuff et cetera. Best regards, Christian Fieres Mainova AG Sachgebiet Netz- und Infrastruktur (M3-ST4) Teamleiter Service Operation Center Solmsstraße 38 60623 Frankfurt am Main Telefon 069 213 23617 Mobil 0170 5601563 Telefax 069 213 9623617 E-Mail c.fie...@mainova.de Internet http://www.mainova.de Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum david.g...@uk.logicalis.com Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum stephenwa...@karelia-ns.com --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum vilius.bene...@gmail.com ·--To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum c.fie...@mainova.de Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum stephenwa...@karelia-ns.com --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum c.fie...@mainova.de Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum stephenwa...@karelia-ns.com · --To unsubscribe from spectrum, send email to listserv@unc.eduwith the body: unsubscribe spectrum c.fie...@mainova.de Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung --To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum stephenwa...@karelia-ns.com --To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum c.fie...@mainova.de Mainova Aktiengesellschaft - Solmsstraße 38 - D-60623 Frankfurt am Main Vorsitzender des Aufsichtsrates: Bürgermeister Uwe Becker Vorstand: Dr. Constantin H. Alsheimer (Vorsitzender), Norbert Breidenbach, Lothar Herbst Sitz der Aktiengesellschaft: Frankfurt am Main - Amtsgericht Frankfurt HRB 7173 - USt-IdNr. DE 114184034 Mainova steht für besten Service, faire Verträge und top Preise für Ihre Energie - mit Auszeichnung! Mehr Infos unter: http://www.mainova.de/auszeichnung --- To unsubscribe from spectrum, send email to lists...@unc.edu with the body: unsubscribe spectrum arch...@mail-archive.com
