[nsp] Favorite access lists

Brian Roberson roberson@olug.org
Sat, 28 Sep 2002 00:24:50 -0500


----- Original Message -----
From: "JJ" <yulingna@yahoo.com>
To: <cisco-nsp@puck.nether.net>
Sent: Friday, September 27, 2002 10:21 PM
Subject: Re: [nsp] Favorite access lists


> Out of curiosity, do you see many people allow snmp
> RW?  For what purpose?
>

to config/set items in the MIB.. I know, that is a pretty general answer,
but I have used snmp write access to alot of different things, from
admin'ing a port to a down state, to telling the router to write it's
configuration to a tftp server.





> Another thing also bothers me, who enables "snmp
> manger"? why do we want to make a router a NMS?
>

The best usage example I have found for this feature would be if you did not
have an NMS at all,
and you wanted a single place to look at logs for all your devices.
Typically, you have to
have a seperate, dedicated system to be your NMS, not all networks require
24/7 operation, and this
works out great if you ONLY want to manage network devices.




heck, here is an even better example, answering both your questions.....


you have 5 routers, one is setup as an snmp manager, and all other routers
have RW community and acl's permitting that access from the manager using
the RW community... now... the benefit....

Lets say you lose router #3's password, but you still know the snmp RW
community, you enable the tftp service on your snmp manager router, send an
snmpset command from your snmp manager router, telling router #3 to write
it's config via tftp to the snmp manager router ( just to some file in
nvram, not to write to the config of the snmp manager router ) .... you now
have a copy of the active config and procede to crack the enable and secret
passwords... voiala... your in! ( just an example )