[c-nsp] Automatic SNMP trap generation
Gert Doering
gert at greenie.muc.de
Wed Apr 26 16:00:57 EDT 2006
Hi,
On Wed, Apr 26, 2006 at 09:23:21AM -0700, Bruce Pinsky wrote:
> > On Wed, Apr 26, 2006 at 08:09:52AM -0700, Bruce Pinsky wrote:
> >> But of course by doing this you expose the correct community string since
> >> it is sent as part of the trap generated for the invalid community string.
> >> In general, this is a bad idea.
> >
> > so you say "SNMP traps in response to network incidents are a bad idea"?
>
> No, just the one for invalid community since it can be generated on demand
> if the proper access controls are not in place for SNMP. Can also be a
> vector for DoS.
Hmmm, good point. For *valid* communities, there are ACLs, but not for
*invalid* ones... - so you need infrastructure ACLs as well.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list