> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Radick, Don (IHG) > Sent: Tuesday, May 11, 2004 2:45 PM > To: [EMAIL PROTECTED] > Subject: [mrtg] Re: mrtg of Cisco routers via Internet fails > > > > don't do this. > SNMP V1 (which is what MRTG / Perl uses) is insecure - > if you can run SNMP (v1) to your Internet routers, then > anyone else can also, and Cisco SNMP has vulnerabilities. (A > cracker can get control of your router pretty easily)
all these vulnerabilities are fixed in current versions. SNMPv1/2c to a Cisco isn't *that* bad when having a secure surrounding setup, following some practices: input-ACL's only allowing mgmnt-IP's to router, and ACL's for SNMP itself makes it quite secure. further improvements are defining views with only relevant trees to monitor in. what I actually do is in addition to the above is running SNMP only through IPSec to a loopback wherever possible but this requires a crypto-image.. at least I wasn't affected by any of the snmp-exploits in the last few years because they never got through to the router. > ADVICE: you MUST run SNMP v3 for security, but MRTG / Perl > does not support this: SNMPv3 is definitely nicer, yes. but despite the Cisco-boxes and some Linux-implemetations it's widely unsupported or at least doesn't work. that's not mrtg/perl specific.. The few other devices claiming SNMPv3-support --- just try it.. > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] now regarding the initial problem ;) post your cisco config (without comm & real IP's) then I might see whats the cause. another thing: are you using a special interface (loopback etc.) for SNMP ? there are some recent IOS around 12.3T/X with a bug ignoring the configured source-interface.. Michael -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
