From: Jason Axley <[EMAIL PROTECTED]> wrote:
> I would *highly* discourage you from doing this, even if it is possible,
> because of the inherent insecurity of SNMP v1 and v2. If _you_ can manage
> the firewall via SNMP, so can any attacker on your network. All they need
> to do is sniff the community string (which flies around a lot when
> managing devices with SNMP) and then they can do whatever you can do.
> Additionally, there isn't any way to audit who does what, since all you
> need is the fixed community string and don't need to log in.
In a previous life I worked for an SNMP vendor, and I can verify that Jason
is spot on with the above comments. SNMPv1 (which is what almost all SNMP
agents and manager stations such as Network Node Manager implement) has no
security whatsoever - the community strings used for verification are plain
text and easily sniffed. Enabling SNMPv1 sets on your hardware that's
exposed to the outside world is a Very Bad Idea.
> SNMP v3 is supposed to add additional security, although I doubt many
> vendors have implemented it yet.
I believe Cisco and Bay Networks/Nortel have begun shipping SNMPv3-enabled
hardware. There is third party software available that can make Network Node
Manager (aka HP OpenView) do SNMPv3 as well. I know some other manager
station and hardware vendors have put SNMPv3 into at least demoware (I think
I've seen a beta version of IBM's management station doing SNMPv3 at
Networld+Interop). SNMPv3 does add security, using DES and MD5 for
encryption and authentication.
Sincerely,
Karl Allen
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Sword & Shield Enterprise Security,Inc.
Voice: 423.777.5500 x508
E-mail: [EMAIL PROTECTED]
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
