[[nsp] Possibly OT: Securing Syslog and SNMP.]

James Kilton kilton9@yahoo.com
Wed, 20 Nov 2002 20:11:02 -0800 (PST) 

Yeah, this eliminates some of the risk, but you're
still allowing traffic from non-firewalled border
routers to a "secure" management network in the
backend of the network.  This totally defies one of
the security paradigms that I've established on the
network which is "traffic initiated from the Internet
doesn't come in any further than the DMZs".  

But, this is the best/only solution I'm seeing at this
point other than simply not monitoring backbone
devices.  

--- Joshua Smith <joshua.ej.smith@usa.net> wrote:
> allow the traffic with an acl or firewall entry
> similar to this:
> 
> permit udp 'border ip' eq 514 host 'syslog ip' 
> permit udp 'border ip' eq snmp-trap host 'nms ip'
> deny ip any any log-input
> 
> hth
> 
> joshua
> 
> James Kilton <kilton9@yahoo.com> wrote:
> > I'm wondering if there are any standard practices
> to
> > securing the monitoring of Cisco devices via
> Syslog
> > and SNMP.
> > 
> > The primary issue I'm having trouble with is the
> > following: ideally you want your Management
> segment to
> > be as secure as possible, perhaps the most secure
> > segment on your network.  How then to you allow
> > traffic (Syslog, SNMP traps) from non-firewalled
> Cisco
> > devices such as border routers and backbone
> switches
> > to this Management network?
> > 
> > It seems that the Management network should be in
> the
> > far "backend" of the network for security reasons,
> yet
> > somehow we need to allow traffic initiated from
> > devices in the very front of the network.  Seems
> like
> > a catch-22.  If anyone can share their thoughts
> and
> > experience with this, I'd appreciate it.
> > 
> > Thanks.
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Web Hosting - Let the expert host your site
> > http://webhosting.yahoo.com
> > _______________________________________________
> > cisco-nsp mailing list 
> real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at
> http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> "Walk with me through the Universe,
>  And along the way see how all of us are Connected.
>  Feast the eyes of your Soul,
>  On the Love that abounds.
>  In all places at once, seemingly endless,
>  Like your own existence."
>      - Stephen Hawking -
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com