|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] SNMP on FW-1 machine
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well you can get the firewall security server thingy and run it on your HP Openview box and do a VPN between them and block access via all other hosts. Definately write your policy to limit access to SNMP from hosts that aren't monitoring the firewall. You'll also want to secure your monitoring hosts or people can break into them and then break into the firewall. You definately should change the default community strings and I would strongly look into a v3 compliant SNMP agent. Another option is to push information from the firewall to the monitoring host. At least that way you're not listening on a port which can completly compromise your firewall. In almost all cases there are other ways to monitor a firewall without running SNMP. The real question is how much security are you willing to give up to make things easy? - -- Aaron D. Turner Security Architect, OneSecure http://www.onesecure.com/ [email protected] work:cell:pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner <[email protected]> Key fingerprint = F90C BFB4 4404 5504 295D 4435 578B 1DD5 1B57 EB4D All emails by me are PGP signed; an invalid signature indicates a forgery. On Thu, 14 Dec 2000, Wonder Kid wrote: > Unfortunately, in some cases, the firewall need to be > monitored by HP Openview or BMC Patrol, and we are > told to run SNMP on firewall. > > Any solution? Does stealth rule with IP spoofing > configured enough to block the malicious activities? > > --- "Aaron D. Turner" <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > It does not need to be running/installed and almost > > without exception you > > should get rid of it due to the security > > implications. (The only time I > > can see it running is if you're using a SNMPv3 agent > > utilizing encryption > > and strong authentication.) > > > > - -- > > Aaron D. Turner Security Architect, OneSecure > > http://www.onesecure.com/ > > [email protected] work:cell: > >> > pub 1024D/1B57EB4D 2000-09-27 Aaron D. Turner > > <[email protected]> > > Key fingerprint = F90C BFB4 4404 5504 295D > > 4435 578B 1DD5 1B57 EB4D > > All emails by me are PGP signed; an invalid > > signature indicates a forgery. > > > > On Thu, 14 Dec 2000, Wonder Kid wrote: > > > > > > > > Hi, > > > > > > Does anyone know whether FW-1 need SNMP services > > to be > > > turned on on NT4 or Solaris? > > > > > > If SNMP service is turned on NT4 or Solaris with > > FW-1 > > > installed, and no further configuration is done, > > i.e. > > > community strings etc were not changed, does it > > has > > > impact on FW-1? > > > > > > Microsoft had just released patches to resolve the > > > registry key vulnerability related to SNMP > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key 0x1B57EB4D at: http://www.keyserver.net/en/ Filter: gpg4pine 4.1 (http://azzie.robotics.net) iEYEARECAAYFAjo5iAcACgkQV4sd1RtX603b2wCfYx2f0TUx2tRX8bPvBL+lLUxN 4/IAnRs5g1n4gGlYPq+XzttHFM2CKz41 =EQg1 -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
