[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: SNMP on firewalls
From:       "Rick" <Rick () UKSysops ! com>
Date:       1997-01-09 4:16:58
[Download RAW message or body]

I hate SNMP. The though of someone outside the net being able to change
configs inside firewall or behind the firewall is scary. Having said that
let me adress the stuff you said:

Read only mode on SNMPv2 can be compromized _I_think_. But dont quote me on
that. If you're worried about that, try using SNMPv3 which provides user
authentication, time stamped digital signatures, and encryption AFAIK.

The second thing that I'd point out is that the minimal information most
devices in your firewall will give out includes traffic info (which you dont
want anyone to have) and operating sytem info. M$ SNMP will list the valid
account names on the machine. If an attacker penetrates security, you dont
want him/her knowing all that.

Given all that, why would you want to run SNMP at all? You have too much to
loose if an attacker gets in.

If I had to run it, I would put it behind the exteriour router, and block
all incoming UDP destination: port 161 and 162 packets. I'd also make sure
it was v3 SNMP, and I'd restrict the hosts that could use it, but its still
to much risk IMHO.

Rick
Rick@UKSysops.com

----- Original Message -----
From: Jesper Wall <Jesper.Wall@netgiro.com>
To: Firewalls (E-mail) <firewalls@Lists.GNAC.NET>
Sent: Tuesday, September 05, 2000 11:40 AM
Subject: SNMP on firewalls


> Hi!
>
> Is it a stupid thing to use SNMP in read only mode on a firewall?
> I have a feeling that SNMP can be compromised, even if you run it in read
> only mode. Or?
>
> /Jesper
>
>
> -
> [To unsubscribe, send mail to majordomo@lists.gnac.net with
> "unsubscribe firewalls" in the body of the message.]
>

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[prev in list] [next in list] [prev in thread] [next in thread]