On Apr 14, Bryan D. Boyle wrote:
>Well, for one, snmp is udp. And that gives us the shakes. What I would
>pose as a strawman would be to put an snmp 'monitor probe' up on
>the DMZ that would monitor the exposed network and repackage the info
>for tranmsission thru the screen via tcp (which can be reasonably secured
>trying to hack some extension into UDP and call it controllable...)
Why would using TCP be any more secure than using UDP?
In general, TCP is preferred because many firewall users have adopted
a policy that says people on the inside are good and should be allowed
to initiate communication through the firewall, whereas people on the
outside should not. TCP, being a connection-oriented protocol, makes it
possible for a filter to distinguish which packets belong to a particular
connection, and from which side the connection is being established.
It therefore makes it easier to write a filter that enforces the policy.
But if your policy says that:
1) users on the inside can be trusted not to actively attack
the internal net, and
2) the Network Management Center on the internal net will monitor
the firewall using SNMP
then a filter that allows UDP traffic on the SNMP port between the
firewall host and the NMC can be used to implement the policy.
I don't see why TCP "can be reasonably secured" for this application
to any extent greater than could UDP. Is there a specific threat
you are trying to protect against, or is this just a superstitious
belief that "UDP is insecure" and shouldn't be used for anything.