Isolating the management network is the right thing to do. All traffic can
run in the open and if you need to jump domains a good firewall system can
be employed with what ever restriction. I love it when I can work on a
system that has a management network not at risk to the internet. We design
data centers with this in mind.
Make sure nobody has IP forward set though.
good call Chuyen
chuynh@fr.ibm.com wrote:
>
> There are some guide lines:
> - Change the IP address of you NetView referenced in every managed node
> (trap)
> - Ask your firewall administrator to allow ping and snmp from your NetView
> server (any, NetView host).
>
> The firewall administrator will mention the ping of death as a deny attack
> and that snmp communities run on clear text on the network.
>
> There is always a price to pay. We dedicated a administrative network for
> SNMP, Tivoli, etc. and isolate it from normal flows that do not accept SNMP
> nor ping.
>
> Chuyen HUYNH
> Tivoli certified Consultant, IBM certified Architect, Microsoft Certified
> System Engineer
>
> chuynh@fr.ibm.com
>
> Mobile : (33) 670 014 929.
> Office: (33) 149 053 686 / 338636
>
> Tour Descartes, La Defense 5, 92066 La Defense
> FRANCE
>
>
> (Embedded
> image moved to "Tesfai, Menghis"
> file: <Menghis.Tesfai@PictureVision.com>
> pic00402.pcx) 22/05/2001 21:04
>
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> To: "'IBM NetView Discussion'" <nv-l@tkg.com>
> cc:
> Subject: RE: [NV-L] Moving Netview behind a Cisco PIX Firewall
>
> Let me restate my question.
>
> We are looking to change the IP address on the server that hosts Netview.
> If you could guide me to a URL or send me some documentation relating to
> this, I would appreciate it.
>
> Thanks,
>
> Menghis
>
> -----Original Message-----
> From: chuynh@fr.ibm.com [mailto:chuynh@fr.ibm.com]
> Sent: Tuesday, May 22, 2001 5:39 AM
> To: IBM NetView Discussion
> Subject: Re: [NV-L] Moving Netview behind a Cisco PIX Firewall
>
> Yes. We have a NV 6.2 on AIX server that manages CheckPoint Firewall-1,
> Cisco PIX, Cisco Catalyst and Alteon AD4.
> It works fine.
> As it is a touchy topic, may you be more precise on your request ?
>
> Chuyen HUYNH
> Tivoli certified Consultant, IBM certified Architect, Microsoft Certified
> System Engineer
>
> chuynh@fr.ibm.com
>
> Mobile : (33) 670 014 929.
> Office: (33) 149 053 686 / 338636
>
> Tour Descartes, La Defense 5, 92066 La Defense
> FRANCE
>
> (Embedded
> image moved to "Tesfai, Menghis"
> file: <Menghis.Tesfai@PictureVision.com>
> pic27639.pcx) 21/05/2001 18:40
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> To: "'IBM NetView Discussion'" <nv-l@tkg.com>
> cc:
> Subject: [NV-L] Moving Netview behind a Cisco PIX Firewall
>
> Hello,
>
> Has anyone gone through the exercise of moving Netview behind a firewall. I
> am currently running Netview V5 on a Solaris 2.6 machine.
>
> If you could guide me to a URL or send me some documentation relating to
> this, I would appreciate it.
>
> Thanks,
>
> Menghis
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
>
> --------------------------------------------------------------------------------
> Name: pic00402.pcx
|