Skough Axel U/IT-S <[EMAIL PROTECTED]> wrote:
>SNMP is completely unacceptable as firewall monitoring tool
Sometimes you have to wonder about the statements that go unchallenged
on this list. This, of course, is one of those statements. If SNMP
were so unacceptable you probably wouldn't see it enabled by default on
every Checkpoint Firewall-1. You also probably wouldn't see it as an
option on every other firewall made.
There really is no better protocol for monitoring firewalls and other
network devices than SNMP. That doesn't mean you enable write access,
or that you leave read-access enabled globally. All you need to do is
restrict the IP addresses that can query the port with a filter rule.
If you're monitoring a remote device over an insecure link you probably
also want to encrypt that traffic, depending on whether the snmp data
could be considered sensitive.
Virtually all the secure sites I've worked with use SNMP. Most
monitoring tools, like HP Openview or Micromuse Netcool, depend on it.
How else are you going to monitor performance real-time.
IMHO,
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
