nv-l
[Top] [All Lists]

Re: [nv-l] [Fwd: Auto-discovering problem...]

To: wvevans@prodigy.net
Subject: Re: [nv-l] [Fwd: Auto-discovering problem...]
From: "Dominic D'Apice" <dapiced@sympatico.ca>
Date: 14 Mar 2003 18:26:22 -0500
Cc: netview list good <nv-l@lists.tivoli.com>
Delivered-to: mailing list nv-l@lists.tivoli.com
Delivery-date: Fri, 14 Mar 2003 23:28:34 +0000
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <3E725E4C.2000905@attglobal.net>
List-help: <mailto:nv-l-help@lists.tivoli.com>
List-post: <mailto:nv-l@lists.tivoli.com>
List-subscribe: <mailto:nv-l-subscribe@lists.tivoli.com>
List-unsubscribe: <mailto:nv-l-unsubscribe@lists.tivoli.com>
Mailing-list: contact nv-l-help@lists.tivoli.com; run by ezmlm
References: <1047678323.8814.4.camel@dom> <3E725E4C.2000905@attglobal.net>
Hi Bill and Thank a lot for all the info., i really appreciated !

So, if i understand, to retrieve arp cache, i need absolutly to talk
snmp (protocol) with at least a busy internet traffic boxes (like
router) ?

Can i talk to a internet router (i know this is unusual but it is for my
own test) to retrieve the ip adress list ?

if yes, do i need to set something in netview or put the adress of this
router in my seed file is enough ?

Thanks
Dominic


On Fri, 2003-03-14 at 17:57, Bill Evans wrote:
> Dominic,
> 
> I think the simple answer is "Because that's the way it was designed by 
> HP back in the 1980s when IBM and HP shared the NetView/OpenView code." 
>  Not satisfying but there were good reasons for that design.  Some 
> reasons dealing with security were only appreciated recently.  The other 
> reasons were more important in the days of slow network links like major 
> trunks at 9600 baud.  An SNMP query of an ARP cache was more efficient 
> than massive ping sweeps.  
> 
> SOAPBOX ON
> 
> In a modern network, especially the ones I've been working on recently, 
> they really get upset if you try to "Discover" the network.  Their 
> security insists that you KNOW exactly what you want to monitor and part 
> of the installation is to double check that everything you discover is 
> known and everything known is discovered.  Every single device is put in 
> the initial seed file to guarantee that it is discovered then NVDBFORMAT 
> is executed to make sure you get them all.  
> 
> In the world of NIMDA and Code Red viruses, firewalls and constant 
> threats, everyone should be careful about knowing exactly what nodes are 
> attached to a network. I think the reported SNMP exposure identified a 
> year  or two ago was a red herring since it assumed that some bad 
> practices exist in NetView trap automation but I would be very careful 
> what nodes I discovered and what traps I processed.  
> 
> A simple loop to issue a ping with a one second timeout addressed to 
> every address in your seed file range will probably result in finding 
> all the nodes.  BUT, indiscriminate polling advertises you have a 
> NetView which can reach the receiving node and odds are the SNMP window 
> is open both ways. (Come on hackers, here I am.)  
> 
> Likewise, I don't like simple direct automation from trapd.conf 
> definitions.  Either use a Ruleset with filtering or put filtering in 
> the scripts invoked. Tivoli closed the known exposure when CERT issued 
> their SNMP advisory but it is a historic point of attack.  
> 
> Finally, if you DO discover something not in the seed file (NetView 
> generates a trap when it happens) it should cause a security notice to 
> be posted.  Either you missed a node in your provisioning, someone 
> violated registration procedures or you just found a network intruder.  
> 
> OK.  I'm paranoid.  Got that way consulting for the Departments of 
>  Defense and Treasury.  (Guns and Money seem to be our culture's hot 
> points.)  If you want to find out if you have good security in the 
> installation, try turning NVSNIFFER on from a Windows node witout 
> telling anyone.  The default configuration  automatically tests the 
> major TCPIP ports (FTP, HTTP, TELNET, etc) by sending a query packet 
> every hour. (Conversely, if you do decide to use NVSNIFFER, let network 
> Security know ahead of time.  They get excited when they see massive 
> numbers of repeated TCPIP probes. 
> 
> SOAPBOX OFF (finally).
> 
> Happy Seed File editing.  I request the customer to provide me with the 
> addresses they want monitored then process the list through some scripts 
> to provide SEED, HOSTS and LOCATION.CONF files. Actually I ask for the 
> IP Address, device hostname, location and community name.  I can locate 
> hostname (either nslookup or snmpwalk for sysname) and location 
> (snmpwalk for syslocation) if I have the other two.  
> 
> Dominic D'Apice wrote:
> 
> >Hi again,
> >
> >any hint or advice why Netview only discover node if and only if when i
> >ping a node or when i add a ip adress in the seed file => "initial
> >discovery seed" ?? 
> >
> >
> >Hint will be apreciated
> >Thanks
> >Dominic
> >  
> >
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web