-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ICMP is becoming less of an Internet trouble-shooting tool because more admins are doing exactly what you're thinking about. But, if you allow ICMP type 8 out and 0, 3 and 11 back in, you can have some basic security on it. However, ICMP is less of a risk than most people think, as there are many network mapping methods which do not rely on ICMP. That, combined with proper network design, go a long way towards alleviating the risks of ICMP. As far as SNMP, use a long string of mixed alpha-numeric characters for your community string and set explicit rules to only allow it to the required devices along with the associated replies in addition to traps from any required devices. SNMP, other than V3, does not support encryption or authentication, and most devices and management applications do not support SNMP V3. A few do, such as OpenNMS or Openview Network Node Manager with the SNMP Research security pack. However, devices have only very recently started to support SNMP V3, such as Cisco in a recent IOS release, NET-SNMP, and a few others. Also, for monitoring purposes, all community strings should be set to RO. If sets (RW) are required, limit it to internal devices and set the allowed managers to a single internal source. Rob - -----Original Message----- From: eko yulianto [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 08, 2001 10:46 PM To: [EMAIL PROTECTED] Subject: How Securing SNMP and ICMP traffic Hello, Is there anyone can telling me how to make SNMP and ICMP traffic secure? because I thought if I disallowed all snmp and icmp traffic in my network I will get headache if I have to checking connection when the network problem occur, thank's. Do I wrong if I configure every device with policy only allowed limited type or code, size, source/destination for icmp traffic and only encrypted packet for snmp traffic in my network? Thank's for any comments. Eko Yulianto IT Security Menara Asia 3rd Floor Diponegoro 101, Lippo Karawaci Tangerang, Indonesia Phone: +62.21.5460666 ext.5335 Fax: +62.21.5460660 Post Office: 15810 E-mail:[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO+3ta+a2P6TrxG1EEQJzNwCfY74kJhTwWjXczypnNhtH78dZY5oAniMj IxPpkPovC1ioOrP7TRd4pHNY =9lDZ -----END PGP SIGNATURE-----
PGPexch.htm.asc
Description: PGPexch.htm.asc
