[unisog] Cisco switch monitoring without SNMP

p p pmeunier at cerias.net
Tue Oct 17 15:29:21 GMT 2006


On Oct 16, 2006, at 1:34 PM, John Kristoff wrote:

> On Mon, 16 Oct 2006 12:38:47 -0400
> "Micheal Cottingham" <micheal.cottingham at sv.vccs.edu> wrote:
>
>> My understanding is that the higher-ups don't want to use SNMP.  
>> That's
>> about all I know. I'd love to use SNMP, but I can't. I did find the
>
> Hi Michael,
>
> Frankly, I'm curious how your higher ups expect you to successfully  
> run
> a network without being able to manage it.  Clearly they've never done
> so themselves.  :-)

I'll offer the following thoughts as fodder.

>
> Presumably this is a result of some packet paranoia and the concern
> about SNMPv1's weak authentication scheme.  Legitimate concern.  The
> most basic way people mitigate this threat is to strictly prohibit
> which source IP addresses (the SNMP manager stations) can reach the
> gear with SNMP.  This does not prevent successful spoofed attacks,
> but if the community string is not easily guessed and relatively well
> safeguarded things should be fine.

SNMPv2c is just as insecure as SNMPv1.  SNMPv3 was proposed in 1998.
http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.html

Replacing "old" equipment may be quite expensive.  I would feel quite  
uncomfortable using only source IP filtering and a community string  
that could be sniffed for anything but a temporary or stop-gap  
solution.  Once it gets sniffed or guessed it's game over.

>
> If that still isn't a good enough solution you can try to build an
> out-of-band management network, where only physical links connected
> to some central NOC are allowed to get SNMP to your gear.  You can
> do additional authentication mechanisms and even crypto there, but
> I'm guessing this is overkill for your environment.

That sounds pretty expensive.  How about setting up an administrative  
VLAN?  It's not as secure as a separate physical network but it's  
cheaper and I would trust it more than just a source IP ACL.

>
> Sometimes, and this is a really annoying approach to have to take, but
> hiring a consultant to come tell you what to do makes higher ups feel
> all warm and fuzzy inside.  If you bring in the right people, they'll
> get you to a reasonable enough compromise with the only drawback that
> your spirit is weakened as you witness the higher ups trust some
> outsider's ability over your's.
>
> Sounds like an unfortunate situation to be in.  You may want to point
> out to your higher ups that your colleagues (use me and this post  
> as an
> example if you want) think the no SNMP requirement is a silly  
> idea.  Is
> SNMP perfect?  Far from it.  Is it being used successfully by large  
> and
> numerous networks around the world without too much effort?  You bet.
> Good luck with getting whatever it is you're trying to troubleshoot
> resolved.

The hard question is, how much is using SNMP worth over using ssh or  
walking over and using the console?  If you can produce a dollar  
amount (try salaries x time + probability x costs of business  
scenarios, e.g. due to delays in finding and fixing problems) that is  
greater than the dollar amount needed to secure SNMP, you should have  
a winner.

Does anyone have figures for example business scenarios that could  
help Micheal come up with a cost for not using SNMP, or savings  
brought about by using SNMP?

Pascal




More information about the unisog mailing list