Eric Zatko [[EMAIL PROTECTED]] wrote: > Good day all. > > We are considering the addition of a network management software > system such as Tivoli, Unicenter, Openview, Open NMS... or yes even > SMS. I am interested in hearing from any of you that have experience > with these systems. I would like to better understand each of these > products from a security stand point, meaning should I favor the > purchase of one over the others and if so, why?
First off, I'm biased. That said, you're asking a pretty complicated question. With any network management solution, there's all sorts of issues. Are you going to implement SNMP? Which version (we don't support v3 yet, before anyone asks)? What about traps? Are you after systems management (Tivoli, SMS and Unicenter)? If so, are you really comfortable with all the agents you'll need to load on your end systems? Tivoli and Unicenter are pretty useless (well, the expense doesn't compute) if you're not loading the agents. Are you doing remote management (across firewalls, specifically)? If so, prepare to punch some holes in firewalls, or use distributed management functions (we're don't have our distributed management finished just yet, but we're getting there!) and punch holes in firewalls (or do VPNs). How large is the network? How large is the budget? And finnally, can you get the source? (Okay, I had to throw that in there.) In the end, using an NMS at all will alter the security profile of your network. There's larger issues other than just the NMS itself. However, one thing people sometimes forget is that an NMS often possesses a great deal of information that is useful to a prospective attacker. It already knows your entire network, probably has your community strings, possibly knows all the services running on your network, and possibly knows the versions of software on every system you have. An NMS -must- be protected. In regards to OpenNMS, we're almost entirely java based (save a few areas that we just couldn't avoid native code). We are open source, so you can look at our guts until your heart is content. We really only have two exposed services, trapd and tomcat (we don't have an SNMP agent that we install behind your back). We do run as root, but we're working on that and hope to have a better solution in the near future (-very- shortly after I started here, I opened a bug about running as non-root -- it gives me the willies). So, I really think we're the best all around. We may not have all the bells and whistles (why in the world is it helpful to be able to 'fly' through a three dimensional rendering of your network?) of some of the others, but we do some things that others don't (service management and service level agreement type stuff) and we're opensource (we certainly offer support services and have in the past and currently do contract development for the product). It won't cost you one penny to take us for a drive around the block. :) Oh, and in case anyone missed it, I work for the company that sponsors the OpenNMS project. Mike -- Mike Johnson -- [EMAIL PROTECTED] OpenNMS -- http://www.opennms.org -- Like many things in awk, the majority of the time things work as you would expect them to work. -- The GNU Awk User's Guide.
