Well, I'm not really interested in getting into an argument, I see where you're coming from, however, it was explained to me (on a PIX firwall course that I did late last year) that Cisco will only support Read Only communities, not Read Write purely for added security.
Yeah sure, you can change the config via ssh session (using the virtual terminal) and via https (using the PIX Device Manager) which supports your view that SSL connections are secure. Don't get me wrong, I love Cisco products, but like everything else, Cisco has declared it's vulnerabilties (and had to defer some IOS releases accordingly), but unlike some product lines, this is a very rare occurance, I only recall a small handful of occurances (about 5 or 6), but a lot of these vulnerabilities that Cisco found are with SNMP, in fact half of the announced vulnerabilities I recall are SNMP vulnerabilities (about 3). At the end of the day, the Cisco PIX only supports Read Only SNMP communities on their PIX firewall at the moment, I thought that made sense considering that it's likely this firewall appliance would be protecting a large organisation, maybe even a bank or a financial institution were security is paramount. We could get into a lengthy discussion on securing SNMP devices, such as how access lists should be built, what passwords should set (ie. Do not use 'private' or 'public'), and what version of SNMP should be used, but I would take that off list first. I'm sure most of the SNMP vulnerabilities have been successfully exploited because of configuration weaknesses, not the other way round. Hey, if you have a problem with the PIX not supporting Read Write SNMP communities using SNMPv3, why don't you take it up with Cisco ? -----Original Message----- From: James [mailto:[EMAIL PROTECTED] Sent: Friday, 14 May 2004 16:20 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [jffnms-users] Cisco PIX firewall save configs? http://advocacy.postgresql.org/Lindsay Druett wrote: > Sorry Javier, I might as well jump in here... > > > Basically the Cisco PIX only supports Read Only SNMP communities. > > They don't support Read Write for a very good reason, and that is so > that there is no way someone can change the configuration on a PIX > using SNMP as SNMP fundamentally does have a few security flaws. > OH YEA sure, Cisco tells me there security, including snmp(2) over sshd is inpenetrable? As an old OpenBSD biggot, I find it hard to believe(cisco) but, you have not provided any evidence that cisco's snmp3 over sshd(the latest patched versions) has security holes. Show me da money.....? James ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ jffnms-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jffnms-users
