Bill, what is this about? Eric obviously wasn't aware
that the problems he listed applied to the older versions
of SNMP protocol, namely SNMPv1 and SNMPv2c. The current
standard SNMPv3 (which obsoletes those) is designed
specifically to address the listed vulnerabilities.
So this whole notion of securing SNMPv3 with SSH is
ridiculous.
On 8/6/2003 12:34 PM, Bill Strahm wrote:
The problem that you have with TCP (and made worse by SSH tunneling on top of
it) is that the number of round trips needed to successfully get a data packet
through is unreasonably high in a situation where you are attempting to
diagnose a network fault.
The other choice is to leave a LOT of state open (ie. TCP connections)
requiring a lot of extra memory, etc. on the device. That said there is no
reason why you can not create a tunnel to a secure environment and run your
SNMP traffic from there.
Bill
On Wed, Aug 06, 2003 at 08:42:49AM -0700, Fleischman, Eric wrote:
I am seeking to secure SNMPv3 communications (e.g., RFC 3414), trying to
protect against its well-known vulnerabilities such as spoofing. Had SNMPv3
run over TCP, instead of UDP as it does, then I perhaps may attempt to
protect it via SSH port forwarding (i.e., SSH tunneling). Coincidentally,
I've just read a description in Bob Toxen's book "Real World Linux Security"
(page 141) about an approach he has apparently used of wrapping UDP in TCP
and SSH in order to accomplish SSH port forwarding for UDP-based protocols as
well. This makes me wonder whether SNMPv3 may be a viable candidate for SSH
tunneling after all. I am wondering whether anybody in the list has any
insights as to the viability and weaknesses of this suggested approach. I am
especially interested in learning how people on this list secure SNMPv3.
Thank you.