[nsp] Possibly OT: Securing Syslog and SNMP.

Temkin, David temkin@sig.com
Wed, 20 Nov 2002 08:51:41 -0500


That's a very good question - I'm faced with a very similar setup - My
management systems all sit inside of my firewalls but I've got plenty of
routers out in DMZs and all the way outside (internet facing routers).  What
is the best practice for being able to allow SNMP
traps/syslog/TACACS+/etc...  I know a lot of people suggest sticking the
management systems on a separate "management" DMZ that's not inside the
firewall, but that's not practical when you have 30+ firewalls..

-Dave

> -----Original Message-----
> From: James Kilton [mailto:kilton9@yahoo.com] 
> Sent: Tuesday, November 19, 2002 10:02 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] Possibly OT: Securing Syslog and SNMP.
> 
> 
> I'm wondering if there are any standard practices to
> securing the monitoring of Cisco devices via Syslog
> and SNMP.
> 
> The primary issue I'm having trouble with is the
> following: ideally you want your Management segment to
> be as secure as possible, perhaps the most secure
> segment on your network.  How then to you allow
> traffic (Syslog, SNMP traps) from non-firewalled Cisco
> devices such as border routers and backbone switches
> to this Management network?
> 
> It seems that the Management network should be in the
> far "backend" of the network for security reasons, yet
> somehow we need to allow traffic initiated from
> devices in the very front of the network.  Seems like
> a catch-22.  If anyone can share their thoughts and
> experience with this, I'd appreciate it.
> 
> Thanks.
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - Let the expert host your site 
http://webhosting.yahoo.com _______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


IMPORTANT:The information contained in this email and/or its attachments is
confidential. If you are not the intended recipient, please notify the
sender immediately by reply and immediately delete this message and all its
attachments.  Any review, use, reproduction, disclosure or dissemination of
this message or any attachment by an unintended recipient is strictly
prohibited.  Neither this message nor any attachment is intended as or
should be construed as an offer, solicitation or recommendation to buy or
sell any security or other financial instrument.  Neither the sender, his or
her employer nor any of their respective affiliates makes any warranties as
to the completeness or accuracy of any of the information contained herein
or that this message or any of its attachments is free of viruses.