Well, I'm not really interested in getting into an argument, I see where you're coming from, however, it was explained to me (on a PIX firwall course that I did late last year) that Cisco will only support Read Only communities, not Read Write purely for added security.
That's my point, I never mentioned or cared about writing, via snmp to a cisco or any other device. If you really require that functionality, you put an ether-to-serial protocol translator device on the serial(console) port of the device, and have your 'remote writes' via any protocol/security semantic you want. It fact this is thousands of times easier and more secure than using something that is vendor supplied and used my millions of folks. If you want to see on, look at ntop and their neat little 'nbox' device. I've been do that little trick for over a decade now, and my custom little hack boxes are the only thing I have to worry about, and I can use them on hundreds of different serial ports.
If you really want to make it cool, set it up as a bridged_firewall, like what you can do with PF(packet filter) on OpenBSD.
I never mentioned or care about the lack of snmp writes in a PIX. Personally, I never deploy cisco pix, as my customers need real, unique security, that I build on openBSD.
I was pointing out the falicy is stating that well, you use SNMP, it's hacked and has security holes. SECURE your deployment, and you can use SNMP 1 quite robustly encapsulated in a secure data channel. You can purchase/use all of the proposed secure stuff in the world, and if it not properly(securely) implemented, then a "quote secure" environment is not really secure.
SNMP get's blamed alot for problems, mostly because MS admins get frustrated with MS and try to apply technolgy in a MS environment, that is not complete. I know unix admins that do the same thing, but, they are usually willing to learn. MS_idiots just bad_mouth things that do not work as they envisioned.
Yes there are many scenarios to write to a remote device.
Yeah sure, you can change the config via ssh session (using the virtual terminal) and via https (using the PIX Device Manager) which supports your view that SSL connections are secure.
Don't get me wrong, I love Cisco products,
I do not like cisco. I use cisco where customer require cisco.
but like everything else,
Cisco has declared it's vulnerabilties (and had to defer some IOS
releases accordingly),
Um, you might want to rethink statements like this.....or gain some diversified experience, as hackers routinely 'pop the cherry' on cisco white_lies......
They are almost as bad as MS now.....
but unlike some product lines, this is a very
rare occurance, I only recall a small handful of occurances (about 5 or 6), but a lot of these vulnerabilities that Cisco found are with SNMP, in fact half of the announced vulnerabilities I recall are SNMP vulnerabilities (about 3).
Again, SNMP has never been the problem. SNMP 1 and 2 never were designed to be secure. SNMP 1 and 2 can be used securely, by admins that know how to build and run secure networks.
At the end of the day, the Cisco PIX only supports Read Only SNMP
Again, not a issue for me, not now, never. AS you point out that are lots of way to get around this semantic.
communities on their PIX firewall at the moment, I thought that made
sense considering that it's likely this firewall appliance would be
protecting a large organisation, maybe even a bank or a financial
institution were security is paramount.
We could get into a lengthy discussion on securing SNMP devices, such as how access lists should be built, what passwords should set (ie. Do not use 'private' or 'public'), and what version of SNMP should be used, but I would take that off list first. I'm sure most of the SNMP vulnerabilities have been successfully exploited because of configuration weaknesses, not the other way round.
Hey, if you have a problem with the PIX not supporting Read Write SNMP communities using SNMPv3, why don't you take it up with Cisco ?
Personally, my clients and others require greater security that a cisco pix. When you use a cisco PIX you are only promoting Cisco. When you take a computer, and build a unique firewall or
IDS, then you are distinguishing yourself as a security expert....
It's your future.....
James
-----Original Message-----
From: James [mailto:[EMAIL PROTECTED] Sent: Friday, 14 May 2004 16:20
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [jffnms-users] Cisco PIX firewall save configs?
http://advocacy.postgresql.org/Lindsay Druett wrote:
Sorry Javier, I might as well jump in here...
Basically the Cisco PIX only supports Read Only SNMP communities.
They don't support Read Write for a very good reason, and that is so that there is no way someone can change the configuration on a PIX using SNMP as SNMP fundamentally does have a few security flaws.
OH YEA sure,
Cisco tells me there security, including snmp(2) over sshd is inpenetrable?
As an old OpenBSD biggot, I find it hard to believe(cisco) but, you have not provided any evidence that cisco's snmp3 over sshd(the latest patched versions) has security holes.
Show me da money.....?
James
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ jffnms-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jffnms-users
