[unisog] Cisco switch monitoring without SNMP
pmeunier at cerias.net
Tue Oct 17 15:29:21 GMT 2006
On Oct 16, 2006, at 1:34 PM, John Kristoff wrote:
> On Mon, 16 Oct 2006 12:38:47 -0400
> "Micheal Cottingham" <micheal.cottingham at sv.vccs.edu> wrote:
>> My understanding is that the higher-ups don't want to use SNMP.
>> about all I know. I'd love to use SNMP, but I can't. I did find the
> Hi Michael,
> Frankly, I'm curious how your higher ups expect you to successfully
> a network without being able to manage it. Clearly they've never done
> so themselves. :-)
I'll offer the following thoughts as fodder.
> Presumably this is a result of some packet paranoia and the concern
> about SNMPv1's weak authentication scheme. Legitimate concern. The
> most basic way people mitigate this threat is to strictly prohibit
> which source IP addresses (the SNMP manager stations) can reach the
> gear with SNMP. This does not prevent successful spoofed attacks,
> but if the community string is not easily guessed and relatively well
> safeguarded things should be fine.
SNMPv2c is just as insecure as SNMPv1. SNMPv3 was proposed in 1998.
Replacing "old" equipment may be quite expensive. I would feel quite
uncomfortable using only source IP filtering and a community string
that could be sniffed for anything but a temporary or stop-gap
solution. Once it gets sniffed or guessed it's game over.
> If that still isn't a good enough solution you can try to build an
> out-of-band management network, where only physical links connected
> to some central NOC are allowed to get SNMP to your gear. You can
> do additional authentication mechanisms and even crypto there, but
> I'm guessing this is overkill for your environment.
That sounds pretty expensive. How about setting up an administrative
VLAN? It's not as secure as a separate physical network but it's
cheaper and I would trust it more than just a source IP ACL.
> Sometimes, and this is a really annoying approach to have to take, but
> hiring a consultant to come tell you what to do makes higher ups feel
> all warm and fuzzy inside. If you bring in the right people, they'll
> get you to a reasonable enough compromise with the only drawback that
> your spirit is weakened as you witness the higher ups trust some
> outsider's ability over your's.
> Sounds like an unfortunate situation to be in. You may want to point
> out to your higher ups that your colleagues (use me and this post
> as an
> example if you want) think the no SNMP requirement is a silly
> idea. Is
> SNMP perfect? Far from it. Is it being used successfully by large
> numerous networks around the world without too much effort? You bet.
> Good luck with getting whatever it is you're trying to troubleshoot
The hard question is, how much is using SNMP worth over using ssh or
walking over and using the console? If you can produce a dollar
amount (try salaries x time + probability x costs of business
scenarios, e.g. due to delays in finding and fixing problems) that is
greater than the dollar amount needed to secure SNMP, you should have
Does anyone have figures for example business scenarios that could
help Micheal come up with a cost for not using SNMP, or savings
brought about by using SNMP?
More information about the unisog