Dominic,
I think the simple answer is "Because that's the way it was designed by
HP back in the 1980s when IBM and HP shared the NetView/OpenView code."
Not satisfying but there were good reasons for that design. Some
reasons dealing with security were only appreciated recently. The other
reasons were more important in the days of slow network links like major
trunks at 9600 baud. An SNMP query of an ARP cache was more efficient
than massive ping sweeps.
SOAPBOX ON
In a modern network, especially the ones I've been working on recently,
they really get upset if you try to "Discover" the network. Their
security insists that you KNOW exactly what you want to monitor and part
of the installation is to double check that everything you discover is
known and everything known is discovered. Every single device is put in
the initial seed file to guarantee that it is discovered then NVDBFORMAT
is executed to make sure you get them all.
In the world of NIMDA and Code Red viruses, firewalls and constant
threats, everyone should be careful about knowing exactly what nodes are
attached to a network. I think the reported SNMP exposure identified a
year or two ago was a red herring since it assumed that some bad
practices exist in NetView trap automation but I would be very careful
what nodes I discovered and what traps I processed.
A simple loop to issue a ping with a one second timeout addressed to
every address in your seed file range will probably result in finding
all the nodes. BUT, indiscriminate polling advertises you have a
NetView which can reach the receiving node and odds are the SNMP window
is open both ways. (Come on hackers, here I am.)
Likewise, I don't like simple direct automation from trapd.conf
definitions. Either use a Ruleset with filtering or put filtering in
the scripts invoked. Tivoli closed the known exposure when CERT issued
their SNMP advisory but it is a historic point of attack.
Finally, if you DO discover something not in the seed file (NetView
generates a trap when it happens) it should cause a security notice to
be posted. Either you missed a node in your provisioning, someone
violated registration procedures or you just found a network intruder.
OK. I'm paranoid. Got that way consulting for the Departments of
Defense and Treasury. (Guns and Money seem to be our culture's hot
points.) If you want to find out if you have good security in the
installation, try turning NVSNIFFER on from a Windows node witout
telling anyone. The default configuration automatically tests the
major TCPIP ports (FTP, HTTP, TELNET, etc) by sending a query packet
every hour. (Conversely, if you do decide to use NVSNIFFER, let network
Security know ahead of time. They get excited when they see massive
numbers of repeated TCPIP probes.
SOAPBOX OFF (finally).
Happy Seed File editing. I request the customer to provide me with the
addresses they want monitored then process the list through some scripts
to provide SEED, HOSTS and LOCATION.CONF files. Actually I ask for the
IP Address, device hostname, location and community name. I can locate
hostname (either nslookup or snmpwalk for sysname) and location
(snmpwalk for syslocation) if I have the other two.
Dominic D'Apice wrote:
Hi again,
any hint or advice why Netview only discover node if and only if when i
ping a node or when i add a ip adress in the seed file => "initial
discovery seed" ??
Hint will be apreciated
Thanks
Dominic
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|