Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: SNMP agent
From: Paul Sangster <sangster @ reston . ans . net>
Date: Tue, 14 Apr 1998 09:11:57 -0400
To: Gary Mills <gary . mills @ experian . com>
Cc: "firewalls @ GreatCircle . COM" <firewalls @ greatcircle . com>
In-reply-to: <FA27027F1C61D111996D00805FE6E7059BA975 @ oraexch1>; from Gary Mills on Mon, Apr 13, 1998 at 03:12:54PM -0700
References: <FA27027F1C61D111996D00805FE6E7059BA975 @ oraexch1>

Gary,

SNMP is a dangerous protocol to have accessible on the public network
unless you have some assurance that the traffic can't be sniffed.  Your
probably aware of its many vulnerabilities (cleartext community strings,
many people never change their default community strings, UDP-based...)  

We offer a "secure SNMP" offering based on a firewallized 
(modified) version of SNMP Research's extensible agent architecture for 
our InterLock firewall.  This agent supports SNMPv2* which is encrypted/
authenticated SNMP.  The next problem is getting the management station
to speak SNMPv2*.  SNMP Research has an add-on module for OpenView to 
convert SNMPv1 and v2 to v2*.

The SNMPv2* protocol was one of the secure SNMP proposals for SNMPv2
(so its not just some proprietary protocol).  Unfortunately the battles
over how to secure SNMP were too great for the IETF process, so SNMPv2
was left with no additional security.  SNMPv3 looks more promising to
have some security, but in the meantime this is something you can do to
address your question until v3 stabilizes and products ship.

SNMP is really a handy protocol particularly if it can be done securely.
The InterLock has support for several MIBs including HR-MIB (processes,
disk, filesystems...), MIB-II (tcp/ip, interface stats) and a WWW MIB
which includes lots of neat WWW performance information as well as load.

You probably also want to lock down where traps can originate, as 
OpenView could be DOSed by trap storms if your not careful.  This could
probably be limited if your servers are on a 3rd leg of your firewall
and tight security policies are applied controlling the trap UDP packets.

Paul

On Mon, Apr 13, 1998 at 03:12:54PM -0700, Gary Mills wrote:
> I was asked to look into security issues with HPopenview SNMP Agent.
> Does any one have any experience or advice on any known problems with 
> installing this agent on DMZ systems such as
> mail, web, ftp, firewall, etc... The idea is to monitor activity on these 
> external system and send traps to the internal Hpopenview system. Iam not 
> sure of the security of the agent or the daemons it may start.
> 
> Gary Mills
> gary .
 mills @
 experian .
 com
> 
> 

-- 
_______________________________________________________________________
                            Paul Sangster 
 ANS Communications                       Senior Software Engineer
 1875 Campus Commons Dr.                  sangster @
 reston .
 ans .
 net
 Suite 220,  Reston VA 22091              http://www.ans.net/InterLock
_______________________________________________________________________

Attachment: pgpcShX52JIuF.pgp
Description: PGP signature


References:
  • SNMP agent
    From: Gary Mills <gary . mills @ experian . com>
Indexed By Date Previous: Re: Livingston's IRX211 firewall router
From: blast <blast @ broder . com>
Next: Cisco Firewall Feature Set
From: "Lisa B. Formus" <lformus @ baystate . com>
Indexed By Thread Previous: Re: [FW1] SNMP agent
From: Bill Burns <shadow @ netscape . com>
Next: Unsubscribing
From: rdew @ el . nec . com (Bob De Witt)

Google
 
Search Internet Search www.greatcircle.com