SNMP is a dangerous protocol to have accessible on the public network
unless you have some assurance that the traffic can't be sniffed. Your
probably aware of its many vulnerabilities (cleartext community strings,
many people never change their default community strings, UDP-based...)
We offer a "secure SNMP" offering based on a firewallized
(modified) version of SNMP Research's extensible agent architecture for
our InterLock firewall. This agent supports SNMPv2* which is encrypted/
authenticated SNMP. The next problem is getting the management station
to speak SNMPv2*. SNMP Research has an add-on module for OpenView to
convert SNMPv1 and v2 to v2*.
The SNMPv2* protocol was one of the secure SNMP proposals for SNMPv2
(so its not just some proprietary protocol). Unfortunately the battles
over how to secure SNMP were too great for the IETF process, so SNMPv2
was left with no additional security. SNMPv3 looks more promising to
have some security, but in the meantime this is something you can do to
address your question until v3 stabilizes and products ship.
SNMP is really a handy protocol particularly if it can be done securely.
The InterLock has support for several MIBs including HR-MIB (processes,
disk, filesystems...), MIB-II (tcp/ip, interface stats) and a WWW MIB
which includes lots of neat WWW performance information as well as load.
You probably also want to lock down where traps can originate, as
OpenView could be DOSed by trap storms if your not careful. This could
probably be limited if your servers are on a 3rd leg of your firewall
and tight security policies are applied controlling the trap UDP packets.
On Mon, Apr 13, 1998 at 03:12:54PM -0700, Gary Mills wrote:
> I was asked to look into security issues with HPopenview SNMP Agent.
> Does any one have any experience or advice on any known problems with
> installing this agent on DMZ systems such as
> mail, web, ftp, firewall, etc... The idea is to monitor activity on these
> external system and send traps to the internal Hpopenview system. Iam not
> sure of the security of the agent or the daemons it may start.
> Gary Mills
> gary .
ANS Communications Senior Software Engineer
1875 Campus Commons Dr. sangster @
Suite 220, Reston VA 22091 http://www.ans.net/InterLock
Description: PGP signature
From: Gary Mills <gary .