[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review of draft-ietf-snmpconf-bcp-07



The router manufacturer supplied the GUI tool (running under
Windows) which generated both a script file which could be
run as a sort of CLI and an 'online' download using SNMP and
it was the latter we used.  This meant it was easy to
implement change control and backout if and when things went
wrong at 0600 on Sunday morning, with a central database of
current and historic configurations.  SNMP download is so
easy that a half-asleep, inexperienced human could get it
right.  I never even saw an OID (apart from a trace taken
from curiosity) although I did have to select and specify
community names and enable the appropriate UDP ports (UDP is
bad news in a secure environment).  I did wonder at what
level the objects operated, like was it 'when I write to
this, take it and execute it as if it had come from an API
or CLI' as opposed to having a separate variable name for eg
set port 2/7 to FDX.

SNMP is v1 with security achieved by a hardened system using
standard techniques eg different networks with different
levels of trust separated by firewalls, users could not
introduce their own code to workstations (no A-drive,
regular scans of C-drive for unexpected executables), making
IP addresses trustworthy (DHCP a four-letter word, LAN ports
disable on change of MAC address), extensive logging of
anything that might be an attempted hack etc etc

Tom Petch, Network Consultant
nwnetworks@dial.pipex.com
+(44) 192 575 3018
-----Original Message-----
From: John Schnizlein <jschnizl@cisco.com>
To: snmpconf@snmp.com <snmpconf@snmp.com>
Date: 15 January 2002 17:11
Subject: Re: Review of draft-ietf-snmpconf-bcp-07


>At 07:23 AM 1/15/2003, you wrote:
>>I have made extensive use of SNMP to configure routers; in
>>fact, I've known it be the standard way of doing it once
the
>>initial IP/SNMP support is configured into the router.
This
>>is in a high availability, high security environment,
using
>>vendor-provided tools and (of course) vendor proprietary
>>MIB.
>
>Are you using SNMPv3? How do you manage keys?
>How do you control which administrators can write which
variables?
>Could you please identify the router and vendor-provided
tools?
>
>>But I am talking Enterprise, not Operator, which is why I
>>stayed quiet at Salt Lake City.
>
>Whoever operates the network is what matters, not whether
it is
>a commercial service provider or within an enterprise.
>
>>Tom Petch, Network Consultant
>>nwnetworks@dial.pipex.com
>
>
>John
>
>