Kevin,
Have you heard the one about making omelettes without eggs?????
IMHO you CANNOT do active network management without having SNMP access to the
devices
you are managing. I usually end up getting access through the firewall for
traps from
all nodes in the DMZ to <NetView m/c>udp162 and for <NetView m/c>udp 161 to all
DMZ
nodes, plus responses (I've worked generally with Checkpoint firewall). You
can live
without ping. If you can't get this or hardware to setup VPNs, you are
"eggless".
If your folks don't trust Gates software, can you have Linux in your DMZ? That
would
be my preference for a little NetView in a DMZ. If you have that, your Linux
NetView
does full monitoring - no firewall issues. Can you get a web console through
your
firewall? If so, you can see separate NetView topolgies. There is no way to
combine
topology databases from different NetViews - the only way one NV GUI sees all
is if
that NetView database discovers all.
On events, you can do a little better, especially if your DMZ NetView is Linux.
The
DMZ NetView can selectively forward events to your top-level NetView and this
doesn't
have to happen on udp/162 - you can swap to TCP and you can swap port.
NetView, by
default, actually also listens for traps on TCP/162 - will your firewall guys
wear
that? If you have lots of NVs in lots of DMZs, you may want to get a little
fancier
than simple trap forwarding so that you know which DMZ NV has forwarded the
trap -
depends rather on whether you have a good DNS setup so that it may be obvious...
This leaves the problem of you being blind if your DMZ NetView goes down. We
built a
solution whereby a DMZ NetView sends heartbeat traps to the top-level NetView
and
top-level NetView then alerts if he thinks he has lost a subsidiary NetView.
Not nice,
but better than nothing.
MLM in the DMZ doesn't really buy you anything if you can't have SNMP access to
it.
You can't configure it and you can't get info back from it. If your firewall
folk
would allow full SNMP access just to the MLM, you could do status monitoring in
the DMZ
via the MLM and report back to top NetView. You would have to hand-add all
devices in
the DMZ onto your top-level NetView, but then top-level GUI sees everything.
Customise
your DMZ devices to send traps to MLM (no firewall issues) and then setup MLM to
forward traps to top-NetView - again you could use TCP/162 if you wanted. You
would
have status glitches on your top-level NetView if anyone tried to do Test->
Ping (in
fact test anything in the DMZ!), but MLM should be able to report status. If
your MLM
dies, your dead until he's back up.
Anyone got any more eggs???
Cheers,
Jane
"Gow Kevin (KTSO 4)" wrote:
> Folks,
>
> I am in a bit of a bind. I have some 25 DMZs and secure areas that I need to
> monitor within NetView. The problem is, the FireWalls admins (by order of the
> security people) do NOT, and will not, let ping and snmp traffic through. They
> may be willing to compromize if I had a secure link, and the traffic was
> encrypted.
> It seems I may need to wait for SNMP v3 for that. In the meantime, I am
> trying to
> find a solution that will keep the security folks calm, and the FireWall
> masters
> happy.
>
> "Extending Network Management Through Firewalls" - a red book
> by Stephen Hochstetler has some good solutions. Trying to get the budget
> to install extra equipment to create a secure environment as descibed in this
> book is out of the question. I am under some severe financial restraints. I
> cannot put a seperate AIX box with its own NetView in each DMZ either.
> It also seems I will have a hard time getting the OK for NT boxes in some
> of these DMZ as NT / Win 2000 is considered too much of a risk.
>
> Too make it even more of a challenge, the operations folk want consolidated
> consoles. A web browser for each DMZ is not an option. All relevent traps need
> to end up in TEC. The NetView guys resposible for the maps want to work
> with only one NetView, and at best, only one map.
>
> Surely I am not the only one in this situation? How did other folks cross
> these hurdles? Are you using an "add on" product? Did you write your own
> in-house solution? Did you get your FireWall admins / security people to
> compromize? I am interested in hearing how you guys solved these problems
> or how you manage your DMZs and secure areas. Are they even being managed,
> or is it just not worth the effort?
>
> Sympathy, insight and advice most welcome.
>
> Regards,
> Kevin.
>
> --
> Kevin Gow
> Network Management
> CREDIT SUISSE FINANCIAL SERVICES
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
> For additional commands, e-mail: nv-l-help@lists.tivoli.com
>
> *NOTE*
> This is not an Offical Tivoli Support forum. If you need immediate
> assistance from Tivoli please call the IBM Tivoli Software Group
> help line at 1-800-TIVOLI8(848-6548)
--
Tivoli Certified Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2002 Jane Curry <jane.curry@skills-1st.co.uk>. All rights
reserved.
|