> As for comments on protecting SNMPv1 with ACL's and obfuscated Community > Strings, that is laughable at best. A better solution is to run with SNMPv3 > using AuthPriv functionality, seems like some of the popular management > systems don't yet support v3 capabilities. Well, I don't see why such a solution would be laughable. From a business perspective, it doesn't necessarily make sense to keep heapinng layer after layer of 'stuff' on top of the protocol. Oddly enough, my post about treating SNMP in isolation was rejected by the moderators, who as yet have not responded to my queries regarding this issue. The issue as I see it is that folks are treating security mechanism in general (SNMP is not a security mechanism) in isolation. Yes, an obfuscated community string in the UDP packets is laughable in the face of a simple sniffer. However, it your infrastructure configuration allows for the undetected installation of a sniffer, then you have more things to be concerned with, other than simply the 'safety' of your community strings. If someone has a sniffer, why bother with things like community strings at all, when the admin passwords can be easily collected. Properly configuring and monitoring your entire infrastructure is what can allow things like SNMP and TFTP to run on the network. Network engineers too often say that "security breaks stuff"...and they are definitely correct, particularly when a security 'expert' doesn't keep the business objectives in mind. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 12:05:07 PDT