| -----Original Message----- | From: keydet89at_private [mailto:keydet89at_private] | Sent: 19 July 2001 18:08 | | > As for comments on protecting SNMPv1 with ACL's and obfuscated Community | > Strings, that is laughable at best. A better solution is to run with SNMPv3 | > using AuthPriv functionality, seems like some of the popular management | > systems don't yet support v3 capabilities. When this is possible, it's obviously the better solution. | Well, I don't see why such a solution would be | laughable. From a business perspective, it | doesn't necessarily make sense to keep | heapinng layer after layer of 'stuff' on top of | the protocol. From the business perspective it's easier to upgrade a network management protocol than secure large portions of intermediate infrastructure. [snip] | The issue as I see it is that folks are treating | security mechanism in general (SNMP is not a | security mechanism) in isolation. Yes, an | obfuscated community string in the UDP | packets is laughable in the face of a simple | sniffer. However, it your infrastructure | configuration allows for the undetected | installation of a sniffer, then you have more | things to be concerned with, other than | simply the 'safety' of your community strings. | If someone has a sniffer, why bother with | things like community strings at all, when the | admin passwords can be easily collected. Agreed, but as some people have nuclear weapons, why bother with front doors? Because every lock makes the whole job harder. | Properly configuring and monitoring your | entire infrastructure is what can allow things | like SNMP and TFTP to run on the network. Agreed, but that's unusual, even on banking/military networks. It's the fences and the gateways that are protected, not the interior of each 'compound'. | Network engineers too often say that "security breaks stuff"...and they are | definitely correct, particularly when a security 'expert' doesn't keep the business | objectives in mind. Alternatively, when the network engineer doesn't keep security objectives in mind, security has to be bolted on, and anything bolted on is ugly and can break. In a perfect world the information within computers would know who can and can't access it, and how - without layers like NOSes, OSes, "encryption" (which is just good obfuscation) etc. And I would be out of a job.... Dom ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:44:47 PDT