I have a customer setting up a firewall (NetSP). They have
their own LANs on both sides of the firewall and an Internet
connection on the outside LAN.
Internet
|
-
|R|
-
|
Outside -------------------- Customer owned LAN
|
Firewall
|
Inside -------------------- Customer owned LAN
Now they want to put a Management station on the Inside LAN running
NetView and System Monitor to manage resources on both LAN's.
1.What are the security precautions that should be taken in to
concideration.
2.What kind of traffic does the firewall have to let thru?
3.Are there any documentation from earlier experiences in this area?
ANSWER
NetView for AIX uses SNMP GET and SET requests and ICMP echo (ping)
for network monitoring. It also may receive SNMP traps from agents
in the network. Dealing with ICMP echo first - there is little
risk in allowing free passage of echo requests across the firewall.
SNMP should not be considered to have any inate security. The
community name process is wide open to "masquerade" attacks (the source
node address and community name travel in clear in the packet). You
may therefore want to set filters to restrict this. An SNMP Get or Set
is sent from the manager to port 161 on the agent. The sending port
may be anything. The response is also sent the same way. In general,
SNMP agents do not allow many variables to be SNMP SET, and you can
restrict the permissible community names.For Sysmon the situation is
a little different, since it is wholly configured using SNMP SETs.
Since the SNMP protocol is insecure you will need to be careful to
set filters to prevent any traffic to port 161 from outside the secure
network
S e a r c h - k e y w o r d s:
NETSP FIREWALL SECURE GATEWAY SNMP NETVIEW
WWQA: ITEM: RTA000079102 ITEM: RTA000079102
Dated: 10/1995 Category: ITSCSAIXNV6
This HTML file was generated 99/06/24~12:43:28
Comments or suggestions?
Contact us