ietf
[Top] [All Lists]

Re: Securing SNMPv3 via SSH tunnels

2003-08-06 09:58:50
The problem that you have with TCP (and made worse by SSH tunneling on top of
it) is that the number of round trips needed to successfully get a data packet
through is unreasonably high in a situation where you are attempting to 
diagnose a network fault.

The other choice is to leave a LOT of state open (ie. TCP connections)
requiring a lot of extra memory, etc. on the device.  That said there is no 
reason why you can not create a tunnel to a secure environment and run your
SNMP traffic from there.

Bill

On Wed, Aug 06, 2003 at 08:42:49AM -0700, Fleischman, Eric wrote:
I am seeking to secure SNMPv3 communications (e.g., RFC 3414), trying to 
protect against its well-known vulnerabilities such as spoofing. Had SNMPv3 
run over TCP, instead of UDP as it does, then I perhaps may attempt to 
protect it via SSH port forwarding (i.e., SSH tunneling). Coincidentally, 
I've just read a description in Bob Toxen's book "Real World Linux Security" 
(page 141) about an approach he has apparently used of wrapping UDP in TCP 
and SSH in order to accomplish SSH port forwarding for UDP-based protocols as 
well. This makes me wonder whether SNMPv3 may be a viable candidate for SSH 
tunneling after all. I am wondering whether anybody in the list has any 
insights as to the viability and weaknesses of this suggested approach. I am 
especially interested in learning how people on this list secure SNMPv3. 
Thank you.



<Prev in Thread] Current Thread [Next in Thread>