On Apr 13, 4:40pm, Ken Hardy wrote:
> Subject: SNMP or other mgmt/monitor of bastion &c.
> FWTK is, as advertised, minimalist. (But it's still a great deal more
> than what you pay for it.) Now we're interested in more automated
> monitoring of the f/w bastion host & its connectivity. Though I like
> my simple, minimalist f/w, I've now got some questions.
>
> A.) Is there any useful SNMP agent that can be added to the bastion
> host running BSDI?
Probably a generic workstation MIB is supplied with bsdi; I think (we have
looked into this peripherally...) there would probably have to be developed
a mib for the firewall components that dealt with the individual proxies or
some such.
>
> B.) What commercial packages offer this? Gauntlet? Most?
We are just running the standard DEC w/s snmp on the components here. I don't
rightfully know whether or not there is a standard MIB for firewalls other
than that which would be supplied as part of an O/S...
>
> C.) What are the security implications of SNMP running on the f/w? I'd
> certainly only see it being used for monitoring, not controlling.
Well, for one, snmp is udp. And that gives us the shakes. What I would
pose as a strawman would be to put an snmp 'monitor probe' up on
the DMZ that would monitor the exposed network and repackage the info
for tranmsission thru the screen via tcp (which can be reasonably secured
beyond
trying to hack some extension into UDP and call it controllable...)
>
> D.) How might I monitor the connectivity to the ISP & beyond? Would I
> (or shouldn't I?) regularly ping various sites?
Usually, if you have a good ISP, they will ping your cisco or whatever router
you have (I know, using cisco as a generic name, please forgive me...) to
check that you are still there. I know in talking to our ISP (alternet) that
they have no problem if we want to ping (as long as it is a reasonable rate,
not
spray them constantly) say, their news machine that feeds us to show that the
link itself is up. Beyond that, you would probably be in the range of
getting into their router web (which is a whole 'nother story...).
Pinging various sites? As long as they are yours, why not (end-to-end
connectivity???)? Other sites? The network is too amorphous to use that,
imo, as an objective gauge of overall network health...too many variables
between ye and thee.
--
Bryan D. Boyle |The Moving Finger writes,and having writ, moves on.
#include <disclaimer> |Nor all your Piety nor Wit can call it back to cancel
EMAIL: bdboyle @
erenj .
com |Half a line, or all your tears wash out a Word of it.
--------------http://www.access.digex.net/~bdboyle/index.html---------------
References:
|
|
