[[nsp] Possibly OT: Securing Syslog and SNMP.]
rpcbind@speakeasy.net
rpcbind@speakeasy.net
Fri, 22 Nov 2002 09:49:26 -0800 (PST)
Has anyone experimented using VRF's to 'protect' a management interface on an
edge device? I've been a bit reluctant to try myself, not having used vrf
functionality at all yet (waiting for a inter-VRF ip nat), but my intial
impression is this should be fairly sound..
..kg..
On Wed, 20 Nov 2002, James Kilton wrote:
> Yeah, this eliminates some of the risk, but you're
> still allowing traffic from non-firewalled border
> routers to a "secure" management network in the
> backend of the network. This totally defies one of
> the security paradigms that I've established on the
> network which is "traffic initiated from the Internet
> doesn't come in any further than the DMZs".
>
> But, this is the best/only solution I'm seeing at this
> point other than simply not monitoring backbone
> devices.
>
> --- Joshua Smith <joshua.ej.smith@usa.net> wrote:
> > allow the traffic with an acl or firewall entry
> > similar to this:
> >
> > permit udp 'border ip' eq 514 host 'syslog ip'
> > permit udp 'border ip' eq snmp-trap host 'nms ip'
> > deny ip any any log-input
> >
> > hth
> >
> > joshua
> >
> > James Kilton <kilton9@yahoo.com> wrote:
> > > I'm wondering if there are any standard practices
> > to
> > > securing the monitoring of Cisco devices via
> > Syslog
> > > and SNMP.
> > >
> > > The primary issue I'm having trouble with is the
> > > following: ideally you want your Management
> > segment to
> > > be as secure as possible, perhaps the most secure
> > > segment on your network. How then to you allow
> > > traffic (Syslog, SNMP traps) from non-firewalled
> > Cisco
> > > devices such as border routers and backbone
> > switches
> > > to this Management network?
> > >
> > > It seems that the Management network should be in
> > the
> > > far "backend" of the network for security reasons,
> > yet
> > > somehow we need to allow traffic initiated from
> > > devices in the very front of the network. Seems
> > like
> > > a catch-22. If anyone can share their thoughts
> > and
> > > experience with this, I'd appreciate it.
> > >
> > > Thanks.
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Web Hosting - Let the expert host your site
> > > http://webhosting.yahoo.com
> > > _______________________________________________
> > > cisco-nsp mailing list
> > real_name)s@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> > "Walk with me through the Universe,
> > And along the way see how all of us are Connected.
> > Feast the eyes of your Soul,
> > On the Love that abounds.
> > In all places at once, seemingly endless,
> > Like your own existence."
> > - Stephen Hawking -
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>