Hi Bill and Thank a lot for all the info., i really appreciated !
So, if i understand, to retrieve arp cache, i need absolutly to talk
snmp (protocol) with at least a busy internet traffic boxes (like
router) ?
Can i talk to a internet router (i know this is unusual but it is for my
own test) to retrieve the ip adress list ?
if yes, do i need to set something in netview or put the adress of this
router in my seed file is enough ?
Thanks
Dominic
On Fri, 2003-03-14 at 17:57, Bill Evans wrote:
> Dominic,
>
> I think the simple answer is "Because that's the way it was designed by
> HP back in the 1980s when IBM and HP shared the NetView/OpenView code."
> Not satisfying but there were good reasons for that design. Some
> reasons dealing with security were only appreciated recently. The other
> reasons were more important in the days of slow network links like major
> trunks at 9600 baud. An SNMP query of an ARP cache was more efficient
> than massive ping sweeps.
>
> SOAPBOX ON
>
> In a modern network, especially the ones I've been working on recently,
> they really get upset if you try to "Discover" the network. Their
> security insists that you KNOW exactly what you want to monitor and part
> of the installation is to double check that everything you discover is
> known and everything known is discovered. Every single device is put in
> the initial seed file to guarantee that it is discovered then NVDBFORMAT
> is executed to make sure you get them all.
>
> In the world of NIMDA and Code Red viruses, firewalls and constant
> threats, everyone should be careful about knowing exactly what nodes are
> attached to a network. I think the reported SNMP exposure identified a
> year or two ago was a red herring since it assumed that some bad
> practices exist in NetView trap automation but I would be very careful
> what nodes I discovered and what traps I processed.
>
> A simple loop to issue a ping with a one second timeout addressed to
> every address in your seed file range will probably result in finding
> all the nodes. BUT, indiscriminate polling advertises you have a
> NetView which can reach the receiving node and odds are the SNMP window
> is open both ways. (Come on hackers, here I am.)
>
> Likewise, I don't like simple direct automation from trapd.conf
> definitions. Either use a Ruleset with filtering or put filtering in
> the scripts invoked. Tivoli closed the known exposure when CERT issued
> their SNMP advisory but it is a historic point of attack.
>
> Finally, if you DO discover something not in the seed file (NetView
> generates a trap when it happens) it should cause a security notice to
> be posted. Either you missed a node in your provisioning, someone
> violated registration procedures or you just found a network intruder.
>
> OK. I'm paranoid. Got that way consulting for the Departments of
> Defense and Treasury. (Guns and Money seem to be our culture's hot
> points.) If you want to find out if you have good security in the
> installation, try turning NVSNIFFER on from a Windows node witout
> telling anyone. The default configuration automatically tests the
> major TCPIP ports (FTP, HTTP, TELNET, etc) by sending a query packet
> every hour. (Conversely, if you do decide to use NVSNIFFER, let network
> Security know ahead of time. They get excited when they see massive
> numbers of repeated TCPIP probes.
>
> SOAPBOX OFF (finally).
>
> Happy Seed File editing. I request the customer to provide me with the
> addresses they want monitored then process the list through some scripts
> to provide SEED, HOSTS and LOCATION.CONF files. Actually I ask for the
> IP Address, device hostname, location and community name. I can locate
> hostname (either nslookup or snmpwalk for sysname) and location
> (snmpwalk for syslocation) if I have the other two.
>
> Dominic D'Apice wrote:
>
> >Hi again,
> >
> >any hint or advice why Netview only discover node if and only if when i
> >ping a node or when i add a ip adress in the seed file => "initial
> >discovery seed" ??
> >
> >
> >Hint will be apreciated
> >Thanks
> >Dominic
> >
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|